Qualys Patch Management Reviews

We use Qualys Patch Management to mitigate and remediate all critical vulnerabilities present within our infrastructure.

We implemented Patch Management to address critical vulnerabilities in our infrastructure. This proactive measure mitigates the risk of compromise that could arise from unpatched vulnerabilities.

Patch Management has tremendously increased our security posture. Previously, we used to manage patching manually and remotely, which did not provide accurate data. With Qualys, all the details are readily available on the dashboard, aiding us in submitting details to management. It has significantly helped in providing management with up-to-date data, leading to improved satisfaction. We saw the benefits of implementing Qualys Patch Management within the first quarter.

Qualys Patch Management gives us a single source of truth for assets and vulnerabilities that must be assessed, prioritized, and remediated. This has drastically affected our operations because the features present on Qualys are amazing, and it's user-friendly compared to other tools.

We've observed an improvement in our patch rates by up to 50 percent. Utilizing the Patch Management tool allows us to download comprehensive compliance reports detailing the number of patches applied to each server, which is significantly beneficial.

Qualys Patch Management's risk reduction recommendation report offers comprehensive and customizable details, including in-depth vulnerability information with plugin output not found in other tools. This makes Qualys a superior solution for managing and understanding security risks. Qualys Patch Management's risk reduction recommendation report provides a helpful scoring system, the QDS, which can be mapped to our asset classification system, allowing us to prioritize and address vulnerabilities according to their risk level.

The risk reduction recommendation report has identified vulnerabilities that, if addressed, would yield the most significant risk reduction. Prioritizing these vulnerabilities based on their severity allows us to focus on the most critical risks to our organization and take appropriate remediation action.

We have created widgets with the assistance of the Qualys support team to add them to our existing vulnerability management solution, which has been instrumental in helping us track vulnerabilities related to our infrastructure.

Qualys Patch Management has significantly reduced our organizational risk by up to 70 percent by identifying vulnerabilities in our infrastructure and prioritizing remediation efforts. This has allowed us to reduce vulnerabilities and strengthen our overall security posture effectively.

Qualys Patch Management offers valuable features like scheduling and on-demand patching, allowing us to conveniently push patches to our servers at designated times.

The GUI has areas that need improvement, particularly in the accuracy of results when adding dashboards and running queries.

I have been using Qualys Patch Management for the last two years.

The stability of Qualys Patch Management is impeccable. I would rate it ten out of ten.

Qualys consistently upgrades itself with major changes and new technologies. They introduce new modules as needed, making Patch Management highly scalable.

Qualys support is exceptional. Whenever we need custom reports, we log a ticket with Qualys.

Positive

We transitioned from Nessus Security Center to Qualys due to challenges with Nessus's automatic patch deployments, which resulted in unplanned downtime on critical systems. A proof of concept and vendor support confirmed Qualys as a more suitable solution for our needs.

The initial setup was straightforward. Before deciding to implement it, we conducted a month-long POC to ensure all requirements were met. The deployment took over 25 days.

I would rate Qualys Patch Management ten out of ten. 

We are conducting testing in a UAT environment. Our risk mitigation approach involves deploying a patch only after thorough testing in the UAT environment confirms the absence of issues.

We use an internal ticketing system called TUSOM. While previous discussions with our Qualys TAM indicated that integration with TUSOM was not possible, we have recently re-engaged with them, and they are now working on a solution to enable integration.

Approximately 13 individuals have administrative access to Qualys Patch Management, while the remainder have read-only access for viewing reports.

Maintenance is required before we can implement the policy. As a result, we are conducting preliminary testing in the UAT environment. Additionally, Qualys will notify us of any planned maintenance.

I recommend starting with a proof of concept to ensure Qualys Patch Management meets your requirements. In my experience, it is highly user-friendly and has excellent support, making it superior to other products.

On-premises

I have experience using Qualys because I'm a pre-sales engineer in one of the systems integrator companies here in the Philippines. I am also handling and selling Qualys, doing presentations to our clients.

I have already tried using Qualys Patch Management and VMDR together. Qualys Patch Management is under Qualys VMDR, which first performs asset management by gathering and enrolling the assets needing protection or scanning in the IT infrastructure. Once those devices or endpoints are enrolled in Qualys VMDR, they become visible in Qualys Patch Management tab, allowing you to define and see which assets need patching and the patches that need to be deployed.

Qualys Patch Management is a vulnerability management solution that is competitive to other solutions in vulnerability management because it has Patch Management built in. It doesn't need a third party to do the patching itself. What I like most about Qualys Patch Management is that Qualys provides a dashboard showing the patches at a glance, the devices needing to be patched, and the jobs for creating and deploying patches. You can deploy a patch to one device or to multiple devices simultaneously. Additionally, Qualys Patch Management has a rollback plan and provides error codes if the patches do not push through, helping the end user or client understand why the patch failed and what their next steps should be.

TrueRisk Automation is the scoring system uniquely used by Qualys for devices with vulnerabilities. TrueRisk gathers data from asset tagging, allowing you to tag your assets from one to five levels of criticality. For example, tagging a device as level five indicates it is critical due to its role as a database or server. TrueRisk also considers the detection score of vulnerabilities and the impact they pose. With this information, it creates the TrueRisk scoring system visible in Qualys GAV or Qualys CSAM, helping prioritize devices based on risk.

Qualys Patch Management combined with Qualys VMDR integrates solutions into one system, offering a single source of truth for assets and vulnerabilities needing assessment and remediation. You can easily deploy patches to enrolled devices without relying on a third-party solution like SCCM or Microsoft Intune.

Qualys should improve by offering a dedicated testing environment for patches, allowing clients to test patches before deploying them to production. Currently, clients must manage this themselves, creating challenges and difficulties when deploying patches, as a testing environment would simplify the process.

I last used it this year in July.

It's normal for applications including Qualys Patch Management to experience some errors and lagging. These issues are not frequent but do happen occasionally, requiring users to refresh their browsers to verify deployment status.

Qualys Patch Management is very scalable. You can enroll more devices as your license permits. For instance, if you start with 128 devices and later expand to 500, it remains scalable as long as you have the necessary subscriptions.

I have contacted technical support regarding Qualys Patch Management. There are challenges due to language barriers with some agents, but they provide effective support via email. Communicating technical issues can be difficult over the phone, but they respond proactively to email inquiries.

The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues.

Positive

I have less experience with Tenable, which doesn't provide Qualys Patch Management but offers an unlimited scan option. Although they have comparable vulnerability checks and recommendations, Tenable lacks a Qualys Patch Management feature.

The initial deployment of Qualys Patch Management is very easy. Users should understand how to manage bundle or multiple deployments on specific devices. Qualys has options that allow you to select patches for many endpoints simultaneously, streamlining the deployment process.

The pricing of Qualys is promising, but I don't have the specifics. Based on my experience, both Qualys and Tenable have similar price points, but clients choose based on whether they need a comprehensive Qualys Patch Management solution or an alternative.

The risk-based approach is essential. When you enroll devices, Qualys automatically identifies vulnerabilities, focusing on reducing risks to your company, not just patching browsers or applications but also addressing outdated software and misconfigurations. Collecting this data allows for automated and prioritized patching based on risk.

I have used Qualys Patch Management for just one year, but I have handled many clients during that specific time period. We always do proof of concept and demonstrations to our clients, so I believe I can deliver more details regarding Qualys Patch Management.

I have used the Risk Reduction Recommendation Report. There are several types of reports in Qualys, including technical reports and managerial or CEO reports. Qualys offers comprehensive reports detailing vulnerabilities, recommendations, next action plans, and risk reductions, along with insights into potential MITRE attacks. This information allows clients to fortify their systems and reduce attack risks.

I haven't integrated Qualys Patch Management with any CMDB or ITSM tools for ticket management yet, but I believe Qualys Patch Management cannot be integrated with CMDB. However, Qualys CSAM can easily integrate with CMDB without needing an API. It focuses on cybersecurity risks, adding devices to Qualys Patch Management directly from CMDB as long as they have the Qualys agent installed.

It's a best practice to implement Qualys Patch Management alongside vulnerability management as part of the remediation process in Qualys. If clients lack a Qualys Patch Management subscription, the reports can still provide details on vulnerabilities and recommendations. However, we encourage them to add Qualys Patch Management subscription to ease the patching process for their devices.

Maintenance can be challenging, especially if there are bugs or errors in Qualys Patch Management. The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues.

I have resigned from my previous company, but I have the knowledge, skills, and fundamentals in using Qualys. I would rate this product overall as an 8.

I use Qualys Patch Management to patch vulnerable applications such as Mozilla Firefox and Java. Additionally, I use features like registry updates and scripting options available in the Patch Management deployment module. Our usage is about 70%.

Qualys Patch Management is beneficial for addressing critical vulnerability alerts quickly, providing significant improvements in mitigating risk within our organization. It is very helpful to push patches for critical vulnerability alerts in that one shot to remediate vulnerabilities.

It is very helpful in reducing risk in our organization. This is the only tool we are using to patch applications in our environment.

The availability of patches for required applications from Qualys itself is convenient, making it easy for me to push patches. 

We can update the registry with special features such as Registry Update. We can also run scripts via the Patch Management module. These features are very helpful in our operations. 

I struggled to see patch availability for some applications in the Qualys console, requiring me to use third-party repositories. If repositories could be integrated within the Qualys module, it would simplify the patching process for me. 

Additionally, there are glitches in the VMDR vulnerability section while querying for particular vulnerabilities. There are unwanted commands in the KQL which sometimes hinder my results. For example, we sometimes could get CVE IDs while running a query, but at other times, we could not.

I have been working with Qualys Patch Management for around nine months.

As of now, I have not encountered any performance issues or stability issues.

I have not faced any limitations or scalability issues.

We have more than 25K assets. We have three people to do the administrative things.

The support team is responsive and provides detailed information. They share the required documents when we need them. They are very helpful in resolving issues. I would rate them a nine out of ten.

Positive

We previously used Microsoft SCCM for patch management. We switched to Qualys because it centralizes vulnerability detection and patch availability, reducing our workload. We can find the vulnerabilities and see patch availability for those vulnerabilities. It saves time.

With Microsoft SCCM, we could push patches for the applications we wanted to, but with Qualys Patch Management, we could not push some third-party applications. That is the one main difference. Another thing is that whenever we ran the script, we could not see the results or outcome after running the script with Qualys Patch Management, whereas in SCCM, we could see the output of the script. These are the two main differences between Microsoft SCCM and Qualys Patch Management.

It is a SaaS solution. I was not involved in its initial setup, but we are in the process of deploying agents in our entire organization. 

It does not require maintenance from our side. If anything is required, we raise a ticket. So far, we have faced only one issue. Usually, a Qualys agent having a newer version is automatically upgraded, but in our environment, on some machines, we are not able to see the latest version. We are working with the Qualys team to resolve it.

I did not evaluate any other options before choosing Qualys.

It is a very good tool to reduce the vulnerabilities in our organization. Our current usage is about 70%, but we have started utilizing more features. We are planning to increase its license in our environment when there is an increase in the assets.

I would recommend it to others. It is a very good solution for finding vulnerabilities and patching them.

I would rate Qualys Patch Management an eight out of ten.

Public Cloud

Other

We previously used native patch management tools like SCCM servers for Microsoft, Linux, and Mac OS. However, with the shift to remote work in 2020, we encountered issues pushing patches through these on-premise servers. To address this, we adopted Qualys Patch Management, leveraging their cloud agents that are already in place. This simplified patch deployment, allowing us to push patches directly from the Qualys cloud platform, eliminating the need for on-premise servers and VPN connections, which often caused bandwidth congestion and patch deployment failures. 

Qualys Patch Management only requires an internet connection, significantly improving our patching efficiency and overcoming previous challenges with large patch sizes and network limitations.

Qualys Patch Management employs a risk-based approach to automation, utilizing the TruRisk feature within the Qualys VMDR module. TruRisk assesses the security posture of infrastructure by considering asset criticality and assigning a Qualys detection score to each vulnerability. This combination generates a TruRisk score for each asset, enabling the identification of critical assets such as crown jewels or public-facing systems. By categorizing assets based on criticality, users can prioritize vulnerability remediation directly from the VMDR interface. This prioritization seamlessly integrates with Qualys Patch Management, allowing for efficient patch deployment by clicking the Patch Now option in VMDR.

Qualys Patch Management and VMDR are seamlessly integrated, enabling direct communication between them. Patch Management obtains necessary vulnerability and missing patch data directly from the VMDR interface. Both modules rely on the Qualys Cloud Agent to gather complete vulnerability information from VMDR. This integration allows for direct patch deployment through either VMDR or Patch Management.

The COVID-19 pandemic significantly increased cyberattacks on organizations due to the shift to remote work and the resulting expansion of vulnerable attack surfaces. Employees connecting to company networks from home created security gaps that cybercriminals exploited, particularly with ransomware. To mitigate this, organizations adopted proactive measures like using Qualys Patch Management to quickly deploy patches and updates, addressing vulnerabilities, and protecting against attacks without relying on scheduled downtime.

We use the TruRisk scoring mechanism, which ranges from zero to 1,000, to assess and prioritize vulnerabilities. This score is based on Qualys-defined ranges for severity levels, critical, high, medium, low, and our asset criticality scoring. We categorize assets by creating tags for groups belonging to different organizational entities and assign criticality scores to those tags. By combining the asset criticality score with the Qualys detection score provided on a QID basis for each vulnerability, we calculate the TruRisk score. This allows us to identify the number of assets with critical or high-severity vulnerabilities and prioritize remediation efforts.

We have used Qualys Patch Management for four years, but our organization has used Qualys for over 12 years. In that time, I've also used other leading scanning vendors like Tenable and Rapid7. Compared to those, Qualys more accurately detects vulnerabilities due to its cloud agent. This agent, installed on the end asset, reads complete metadata, including the registry and other areas, to identify vulnerable software versions. For example, if an application vulnerability is identified, we can check the asset's installed programs. Even if the software isn't found there, Qualys provides the path where the vulnerable version is detected, often revealing remnant files. These files, left behind even after uninstallation, can be exploited by attackers. Qualys detects these remnants, ensuring accurate vulnerability identification, even if the software appears to be absent from the endpoint.

Although Qualys may be more expensive than other vulnerability scanning tools, its accuracy and effectiveness justify the cost. While alternatives like Tenable Professional offer unlimited IP scanning at a lower price, Qualys provides superior vulnerability detection. This leads to a good return on investment by minimizing security breaches and associated costs, such as reputational damage and compromised client data. Ultimately, Qualys increases stakeholder confidence by providing a high level of protection against cyberattacks.

We previously used a native patch management solution, which resulted in consistently low patch compliance. Achieving even 80 percent compliance often took an entire month, by which time Microsoft would release new security patches. Despite the challenge of maintaining high patch compliance across our extensive infrastructure, with Qualys Patch Management, we now achieve 75 to 80 percent compliance within the first week and 90 to 95 percent within two weeks of patch release. Consequently, our monthly patch compliance consistently exceeds 95 percent.

We augmented our existing vulnerability management solution by adding Qualys Patch Management. Before 2020, we relied solely on Qualys VMDR and other modules. Subsequently, we transitioned to Qualys Patch Management for most patching tasks, although we still utilize Microsoft Intune and SCCM for Microsoft OS assets. Qualys Patch Management leverages vulnerability feeds from the VMDR module, allowing us to identify vulnerabilities missing Qualys patches. Using Qualys Query Language queries within the Qualys interface, we can pinpoint assets with missing patches by searching for Qualys missing patches. This capability enables us to prioritize vulnerability remediation through Patch Management, supplementing our broader vulnerability management strategy.

Installing patches on end assets requires a reboot to take effect, and without it, vulnerabilities remain. Qualys Patch Management offers a valuable feature that allows for deferred reboots, giving users control while still ensuring eventual patching. This feature provides flexibility and reduces disruption. Additionally, a forced reboot option can be implemented via script to ensure all assets are regularly updated, eliminating the need for user intervention. The interface provides a clear view of patch job statuses, including failures and their reasons. It also displays missing patches by QID, allowing for easy identification and one-click patching. This streamlines the patching process and improves overall efficiency.

Currently, there are limitations in downloading patch jobs to view all associated assets and patch statuses. This issue has been raised with Qualys, who may be working on a feature request to address it. While generally satisfied with the Qualys Patch Management interface, another challenge is that some third-party applications, like Oracle, require a license for redirection to their website and subsequent patch access. This authentication requirement blocks some patches from being pushed through Qualys, leaving them in a locked state. This issue, however, only affects a few applications, as most do not require a license for patch access.

I have used Qualys Patch Management since 2020.

I would rate the stability of Qualys Patch Management nine point five out of ten, with minimal latency or other issues. Any observed latencies typically stem from our internal network rather than the cloud platform.

I would rate the scalability of Qualys Patch Management ten out of ten.

The support is robust and available around the clock. We have been provided with clear escalation points of contact, ensuring timely responses and resolution for any issues.

Positive

Before 2020, Microsoft SCCM and Intune were our primary tools for patching Microsoft assets. However, to improve compliance rates and manage third-party application patches more effectively, we transitioned to Qualys Patch Management.

We easily deployed Qualys Patch Management. Previously, security concerns discouraged cloud-based data storage. However, with robust cloud security controls in place, we confidently utilize this cloud-based module.

Implementation involved our internal IT team, who manage the operations of pushing patches.

The return on investment from Qualys Patch Management is significant because a security breach can severely damage an organization's reputation and lead to loss of business. Therefore, we are completely satisfied with the ROI from our investment in the Qualys Patch Management module.

Pricing for Qualys Patch Management is moderate.

Other solutions evaluated include Tenable and Rapid7, but Qualys Patch Management stood out for its accuracy and detection capabilities.

I would rate Qualys Patch Management eight out of ten.

We investigated integrating Qualys Patch Management with our current configuration management database but found that integration is not supported due to a lack of API access. However, we plan to migrate to ServiceNow soon, allowing us to integrate our CMDB or asset management system with Qualys. This integration will improve visibility by enabling us to identify asset owners and remediate vulnerabilities quickly. We expect to complete this migration within the next few months.

Our clients utilize various off-site data centers with distinct networks, including DMZs and intranets, resulting in multiple operational areas. We possess many assets within these networks, exceeding 300,000, and we rely entirely on Qualys Patch Management for their maintenance. We have around 70 team members that utilize the solution.

Patch Management is entirely maintained by Qualys.

I would definitely recommend Qualys Patch Management. Detecting vulnerabilities alone isn't enough; a robust patch management tool is essential for securing an organization.

Public Cloud

Other

I use Qualys Patch Management as a single platform for patch management. We have Microsoft, Adobe, and various other apps. I create a scheduled task to push all the required patches to the laptops so that they have the latest version of these apps.

We also do compliance checks to ensure that, for example, we have the golden image on our servers and laptops. We use it for scanning to ensure that configurations are correct and based on the CIS guidelines.

All our servers and laptops have the Qualys agent, and we can then push the patches to those devices.

Patch Management offers a patch-based approach to vulnerabilities. It helps us prioritize and schedule critical or high-severity patches to address issues.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

I use Patch Management with Qualys VMDR. After the patches are deployed, I check Qualys VMDR to verify if the issues have been addressed.

The Risk Reduction Recommendation Report is fine. It has some general information. It can give insights to people who are not familiar with the findings. I can generate a report and share it with different IT groups to help them understand the issue and the suggested solution. It can help address 70% to 80% of the issues. The rest of them might require further discussion to come up with a solution.

Patch management significantly helped us track and reduce vulnerabilities. For example, before adopting Qualys Patch Management, we found 10,000 or more vulnerabilities. We have now addressed those, limiting existing vulnerabilities to around hundreds. There is a great improvement.

Patch Management supports various software lists when compared to Microsoft Intune. It is especially beneficial for non-Microsoft applications. I can create a schedule, and various patches can be automatically deployed. There is no need to create a PowerShell script. It helps reduce the manual workload for patch deployment. 

I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail. For instance, if I have deployed patches to 100 endpoints, even though the job status says that it is successful, I still have to go deep into endpoints one by one to identify if there are some failures. It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload. 

For reporting issues, we can check if the findings are addressed in the VMDR, but to verify if the latest patches have been applied on the endpoints or servers, we have to examine scheduled jobs one by one. 

It would help if error messages were clearer about causes, like endpoints being offline. This improvement would streamline troubleshooting, helping users ensure their PCs are on when deploying patches. Fail status alerts providing specific fail details would facilitate easier checks.

I have been using Qualys Patch Management for at least two years.

It is highly stable. I would rate it an eight out of ten for stability.

We are utilizing it fully. It serves our needs.

We get the first response to a question within two days, but when we have follow-up questions, they take longer, and the case may get dragged a little bit. It is not fit for us sometimes.

Neutral

Intune is a comparison point, but previously, we had Ivanti Patch Management. Qualys Patch Management is much better, considering the number of issues we could address with it.

The initial setup was quite a normal process. We needed to install the appliance and establish firewall rules to allow traffic with different software. For the endpoint part, Qualys agents were installed on the machines. We had no serious challenges deploying to most endpoints or configuring the firewall.

I am currently conducting a patch management review and evaluating new features or products, and Qualys Patch Management still meets our requirements.

I would rate Qualys Patch Management an eight out of ten. 

I have used this management system to remediate vulnerabilities.

There are a few vulnerabilities we can remediate very quickly. It reduces the time delay. If there are configuration-level changes, we can create and push scripts. 

It helps us increase visibility for faster remediation. 

Syncing between the MBR and patches is the feature. Another valuable feature is pushing configuration-level changes for a script, which leads to a single solution for all the changes. 

From a risk perspective, prioritization helps us more by allowing us to see the visibility of assets with more critical vulnerabilities. We can then push the patches immediately to remediate or reduce risk as soon as possible. That is the major advantage I have.

The integrations with VMware include configurations to mitigate vulnerabilities. It helps us identify permissions and whatever is applicable for the vulnerability for faster patching. 

It helps us remediate vulnerabilities without involving our security team. This helps further relieve time delays. We've saved around 50% of time with patching with Qualys.

The solution provides a single source of truth. We have everything all in one place, saving 40% of our time when compared to the older approach. We don't have to look at different platforms or move back and forth between tools between patching and validation. 

It has effective risk reduction recommendation reports. It streamlines remediation and gives us more data on the vulnerabilities. It helps us to identify the risk factors and levels of risk for increased prioritization.

Our patch rates have increased significantly. 

We've been able to reduce organizational risk by 50%.

The patch status and patch completion information should be improved. If a patch fails due to some reason, such as a Windows error, the error code that gets published should be more detailed. This would make it easier for us to identify where the issue lies, whether at the network level, machine level, or elsewhere. 

I have been using the solution for the past three years.

The stability is rated ten out of ten.

The scalability is rated ten out of ten.

I would rate technical support as nine out of ten.

Positive

I used different solutions like KACE, among others. We switched so we could use a single tool to make the process as simple as possible.

We use a hybrid cloud approach.

The setup was just about enabling a module for it. Since the system is already deployed, we only had to enable the module.

We use it across multiple locations.

There is no maintenance required once deployed.

As I said previously, it has reduced the risk by fifty percent compared to the previous solution. Everything is in SaaS.

As a single tool, it is a better choice. I would recommend the solution to other users. 

I would rate the overall solution as nine out of ten.

Hybrid Cloud

We do it for our OS patching across multiple clouds. If we don't put GE Vernova on there, then I can say we use it for AWS and Azure, plus on-prem. It's used across OS platforms too, so Windows and Linux-based. Our OS team uses it monthly to patch, and then we also supplement third-party software, such as Chrome, Edge, Notepad++, Wireshark, and all that software that people will install and forget to uninstall and forget that they have to patch it. We do that almost weekly as well.

My favorite feature is reoccurring jobs. We had some requirements where we needed some options added to do reoccurring jobs, and they were able to add that in. Now we mostly use reoccurring jobs, and we don't have to touch them. The hardest part now is just getting change controls through our change management team instead of actually creating the jobs.

It has simplified so much from a cost overhead and perspective.

For Qualys Patch Management, I actually talked with their product manager last week during their conference. Unified QQL needs improvement because while they have QQL in Qualys Patch Management, it doesn't pull in the same tokens as VMDR or CCM, so I can't search by similar things. Also, grouping or foldering for Qualys Patch Management jobs would be beneficial because if different groups own different jobs, it all gets dumped into what is essentially a flat file. You're just scrolling through it. You can search, but if we were able to do foldering, that would be great. The third piece would be having an approved catalog. For example, instead of my IT teams doing the patching, I wanted to enable our internal customers, our app teams, to run the jobs themselves but only on patches that we say are good - a curated catalog that the company patch admin approved.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

We've been using it since April of last year, so April of '24, which is approximately 18 months.

There are times where Qualys sometimes delays or doesn't have the catalog updated. For example, Red Hat comes out with an update and a week later, it wasn't in the Qualys catalog, which causes us to scramble.

On our pod, we don't experience issues. One of my colleagues on a different pod has issues there. I'm on their biggest pod that brings in the most revenue, so they're very cautious with what they do on that.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

Neutral

We used WSUS and custom scripts for Linux before. On-prem, we used SSM for AWS and Patch Management for Azure. It was complicated because there were so many different moving parts. That's where Qualys Patch Management comes in and is able to work across all platforms. It's easy because you don't have to manage all kinds of different things for every cloud. Your agent's already on the box because we have a rule that every server has to have an agent on it.

The setup was actually easy. We already had VMDR deployed and agents everywhere, so it was a couple clicks to enable it.

The implementation took approximately a month, though some of that was due to our delay. We had one to two people involved, and part of the timeline was due to our internal processes, not Qualys Patch Management.

You can always drive pricing down, but I think it's reasonable. For what we get out of it, I think it's a reasonable investment.

I think that's where we have to go as an industry because you can't address everything all the time. Adding the risk on top, if it's an external asset compared to something internal inside your vault, the risk is much greater for exfiltration of data. The risk-based approach absolutely is the right way to go about it.

I rate Qualys Patch Management a nine out of ten.

Hybrid Cloud

Other

We are in the education industry, and we perform weekly scans. On weekends, we scan our entire management, servers, and expectations. Then on Monday, I set up some weekly reports. From these, I'll have my vulnerabilities and Patch management reports showing which third-party applications I installed on users' workstations. I tested these on a Monday or Tuesday with Patch Management. If all goes well, by Wednesday or Thursday, I'm patching the rest of the environment. In terms of workstations, I scan and patch them weekly, but for servers, I wait for the Microsoft patching cycle. Only then do we patch the servers, allowing for a restart for each update. After the Microsoft updates, we can restart our servers.

The auto patch is useful. On zero-day vulnerabilities or patches, we can automatically apply those without user interference. We can drastically decrease vulnerabilities, especially third-party ones, such as a Java update that usually takes time to test on different machines. With Patch Management, machines can be grouped into test workstations, and a fix can be deployed and monitored for a day or two. If nothing goes wrong, it is deployed to all users. In Koketso Towers, you will notice about one thousand or five thousand mortgages decrease. This has helped us keep up with vulnerabilities, especially on workstations. Test management is a module added to the vulnerability management scanner, which also has the auto-fix feature. We don't usually use this on servers but on workstations. For instance, if there's a vulnerability that is not a zero-day, but something else, we can test and deploy it almost immediately from the workstation.

I do not have any major problems. I think it's working great. My recommendation would be not just for Patch Management but for Qualys itself. I am using Qualys through a third party or reseller. The issue is that when buying Qualys licenses, from my side, I'm buying for about seven thousand five hundred users or machines. I also need to buy licenses for another seven thousand five hundred for patch management. We dislike having to pay extra. We don't mind paying for additional modules like Certificate View. The test management part requires buying licenses. We are trying to negotiate with our reseller. If they can't provide us, we'll go straight to Qualys and see if they can assist.

I have been using Patch Management for about six months now.

The solution is very stable. I have encountered no problems so far.

We don't interact much since our service is managed. We only contact Qualys if there are serious issues. Last year, we communicated with Qualys two times when our service provider couldn't assist us in resolving one vulnerability.

Positive

We started before moving to VMDR. We used a previous version called Qualys VM, and now it's Qualys VMDR. With Qualys VM, we had access to the console.

The setup was straightforward. We began by installing the scanner, scanning the entire environment, and then categorizing items as servers, workstations, etc., applying tags accordingly. It took us about two weeks to have it fully operational with both daily and monthly reports set up. The deployment is easy through SCCM from Microsoft, as we deploy based on our AD groups.

I would give it a ten out of ten. It is an excellent module to have within the environment, as most environments have Windows Patch cycles, but not for third-party applications. Patch Management not only addresses third-party applications but can also patch vulnerabilities. It allows seamless deployment from the console if a patch for a vulnerability is available. I would rate the overall solution a 10 out of 10.

Hybrid Cloud

Other