Qualys Patch Management Reviews

By implementing this solution, we wanted to fix vulnerabilities as soon as possible in both software and operating systems. Qualys Patch Management gives us the power to solve vulnerabilities quickly and keep our environment safe.

We have not yet seen many benefits because we are still deploying patch policies. We are doing that first with a test group. We have not done 100% patch management. By next month, we will have 100% management through Qualys Patch Management. We expect to see about 99.9% of assets updated all the time. We have great expectations.

We can create rules based on risk. We do not make it 100% automatic for servers because there is a higher chance of issues, but for PCs, we can do 100% automation. Based on the risk for an operation, we can create some sort of policies.

We are deploying both Qualys Vulnerability Management and Qualys Patch Management. Qualys Vulnerability Management was deployed one month ago. For the last month, we have been working to deploy Qualys Patch Management. They are being deployed side by side. The benefit of this is that Qualys Patch Management can solve all the vulnerabilities found by Qualys Vulnerability Management. One part of the tool detects the vulnerabilities and then the other part fixes them. They work together.

Patch Management will help reduce our organization's risk, but it is hard to say how much it will reduce the risks.

Policy enforcement requires less time for my team because users cannot avoid applying updates. The user can skip two or three times or for a maximum of eight hours. After that, there is no way to avoid it. It helps us keep the environment safe.

Its implementation is too recent to make any judgments about areas needing improvement. In terms of pricing, of course, it is not free. Cheaper is always better. If possible in the future, it would be good if it is cheaper.

It has been deployed very recently and we are still in the process of deploying it throughout our organization.

So far, stability has been good with no issues.

I know that as a cloud solution, it would be easy to scale, but I do not have any experience with it. We just deployed it, so there is no need to scale at this time.

I have not had to contact support, so I cannot comment on customer service.

Neutral

We previously used Microsoft WSUS. However, it did not offer the same level of management and enforcement as Qualys Patch Management.

Qualys Patch Management gives me all kinds of management options. I have good visibility into vulnerabilities on each asset. Microsoft WSUS does not give me this sort of management level. We also could not meet the expectation of a 99.9% patch rate with Microsoft WSUS.

It is too early to determine the return on investment.

The licensing cost is more than 2,000 for the whole Americas region.

We have not integrated Qualys Patch Management with CMDB or ITSM tools for ticket management. This Qualys Patch Management deployment is done at the Americas region level, and the ITSM that we have in place is only in South America. Companies in the Americas region do not have ITSM, so there is no integration yet.

I would rate Qualys Patch Management an eight out of ten.

We use Qualys Patch Management to mitigate and remediate all critical vulnerabilities present within our infrastructure.

We implemented Patch Management to address critical vulnerabilities in our infrastructure. This proactive measure mitigates the risk of compromise that could arise from unpatched vulnerabilities.

Patch Management has tremendously increased our security posture. Previously, we used to manage patching manually and remotely, which did not provide accurate data. With Qualys, all the details are readily available on the dashboard, aiding us in submitting details to management. It has significantly helped in providing management with up-to-date data, leading to improved satisfaction. We saw the benefits of implementing Qualys Patch Management within the first quarter.

Qualys Patch Management gives us a single source of truth for assets and vulnerabilities that must be assessed, prioritized, and remediated. This has drastically affected our operations because the features present on Qualys are amazing, and it's user-friendly compared to other tools.

We've observed an improvement in our patch rates by up to 50 percent. Utilizing the Patch Management tool allows us to download comprehensive compliance reports detailing the number of patches applied to each server, which is significantly beneficial.

Qualys Patch Management's risk reduction recommendation report offers comprehensive and customizable details, including in-depth vulnerability information with plugin output not found in other tools. This makes Qualys a superior solution for managing and understanding security risks. Qualys Patch Management's risk reduction recommendation report provides a helpful scoring system, the QDS, which can be mapped to our asset classification system, allowing us to prioritize and address vulnerabilities according to their risk level.

The risk reduction recommendation report has identified vulnerabilities that, if addressed, would yield the most significant risk reduction. Prioritizing these vulnerabilities based on their severity allows us to focus on the most critical risks to our organization and take appropriate remediation action.

We have created widgets with the assistance of the Qualys support team to add them to our existing vulnerability management solution, which has been instrumental in helping us track vulnerabilities related to our infrastructure.

Qualys Patch Management has significantly reduced our organizational risk by up to 70 percent by identifying vulnerabilities in our infrastructure and prioritizing remediation efforts. This has allowed us to reduce vulnerabilities and strengthen our overall security posture effectively.

Qualys Patch Management offers valuable features like scheduling and on-demand patching, allowing us to conveniently push patches to our servers at designated times.

The GUI has areas that need improvement, particularly in the accuracy of results when adding dashboards and running queries.

I have been using Qualys Patch Management for the last two years.

The stability of Qualys Patch Management is impeccable. I would rate it ten out of ten.

Qualys consistently upgrades itself with major changes and new technologies. They introduce new modules as needed, making Patch Management highly scalable.

Qualys support is exceptional. Whenever we need custom reports, we log a ticket with Qualys.

Positive

We transitioned from Nessus Security Center to Qualys due to challenges with Nessus's automatic patch deployments, which resulted in unplanned downtime on critical systems. A proof of concept and vendor support confirmed Qualys as a more suitable solution for our needs.

The initial setup was straightforward. Before deciding to implement it, we conducted a month-long POC to ensure all requirements were met. The deployment took over 25 days.

I would rate Qualys Patch Management ten out of ten. 

We are conducting testing in a UAT environment. Our risk mitigation approach involves deploying a patch only after thorough testing in the UAT environment confirms the absence of issues.

We use an internal ticketing system called TUSOM. While previous discussions with our Qualys TAM indicated that integration with TUSOM was not possible, we have recently re-engaged with them, and they are now working on a solution to enable integration.

Approximately 13 individuals have administrative access to Qualys Patch Management, while the remainder have read-only access for viewing reports.

Maintenance is required before we can implement the policy. As a result, we are conducting preliminary testing in the UAT environment. Additionally, Qualys will notify us of any planned maintenance.

I recommend starting with a proof of concept to ensure Qualys Patch Management meets your requirements. In my experience, it is highly user-friendly and has excellent support, making it superior to other products.

Our use cases for Qualys vary depending on the client. I work for a Paris-based French company that provides cybersecurity and metadata services to multiple clients. We primarily use Qualys to check the core infrastructure that hosts everything, scanning and remediating vulnerabilities.

We work with multiple teams, so if we identify a patching issue using Qualys, we might need to escalate it to another department. For example, if we identify a vulnerability in a CI/CD tool the DevOps team uses in Terraform, we're not supposed to touch it. We recommend a time frame for the DevOps team to apply the patch. If the issue is high-severity, they may need to address it as soon as possible. We run the scans, get the reports, and create recommendations.

We have integrated Qualys with our homegrown ticketing tool, but we plan to migrate to ServiceNow. It's a gradual process. Microsoft Sentinel, our SIEM solution, sends alerts to our internal detection and monitoring tool, which ServiceNow will soon replace. Our SIEM tool is responsible for monitoring the overall risk, while we use Qualys to report vulnerabilities that need to be patched.

Qualys improved productivity and efficiency after we became certified and familiar with the tool. However, our efficiency ultimately doesn't rely on us. We're not free to do whatever we want because we need to wait for the approval of our bosses or clients. We only note everything on our customized reports inspired by Qualys' core reporting. 

Our clients typically have a 30 percent security score, and we aim to raise that to at least 90 percent through patch management and vulnerability monitoring and detection so their infrastructure security improves daily.  

Qualys' best feature is its reporting. At first, it may seem a little complicated to a beginning user, but it's helpful once you get used to it. Most of these scans run automatically. We set the scans up for the client to run at daily, weekly, or monthly intervals, depending on how critical the server or other hardware is.

According to the scan target, we adopt a risk-based or patch-based approach. Our company has a large SOC team that covers more than just the scanning aspect. Qualys is one tool we use. Regarding the managerial component, we have documentation and a set of steps to follow. We must also follow all the protocols, regulations, and standards, such as ISO-27000 or GDPR if you are in Europe.  

Qualys could improve its capacity to fix vulnerabilities on VMware and other virtualized environments. The reporting could also be enhanced to make it more user-friendly. It's difficult for beginners to learn.  

I have used Qualys for two and a half years.

We've had no stability issues with Qualys because most clients use high-speed fiber optic connections. 

I rate Qualys support nine out of 10. I've contacted Qualys support four or five times. They're highly efficient. There were some delays and technical issues the first time I called them, but the rest of my experiences went smoothly.

Positive

We used Nessus, but we switched. It was a company decision because it has a partnership with Qualys' parent company. Before that, we used Metasploit

Deploying Qualys was initially overwhelming, but after a lot of tutorials and testing, we got used to it. Three people were involved in the first six months, but now I'm the only one using it. We had some help from Qualys in the first few months.  

I'm unaware of Qualys' exact price, but it's more expensive than Nessus. With technological products, you need to pay to get the best. 

I rate Qualys eight out of 10. It's a great tool, and if I consulted for a client, I would recommend it. 

Patch Management checks for new patches that Qualys updates daily. For example, Microsoft and other vendors release security updates, which we add to the asset register to simultaneously deploy them. 

Whenever we updated assets in the past, we used to connect to the Internet to download each one, so every asset used to connect individually to download the patch, consuming a lot of bandwidth. Qualys Gateway Scanner works well for us. QGS has all the patches and deploys them to the systems that need them. For example, if we need to update Adobe Acrobat, we can set up an Acrobat group with all the laptops that have the software and push it out. It previously used a lot of bandwidth to download the packages. Now, instead of downloading it thousands of times, we only need to download 10 to 20 packages.

Qualys enables us to identify vulnerabilities and patch them as quickly as possible. We can fix vulnerabilities without involving the security team using TruRisk. We did a POC of TruRisk, but we do not have the whole package yet. It shows us which assets are critical, so we can prioritize them.  

The integration of Qualys Gateway Scanner is my favorite feature. The patches are downloaded to QGS in our environment and deployed, saving bandwidth. The patch logging and policies have been helpful. The dashboard shows you when the patch has been applied to your assets. 

The patch model is critical. The solution classifies the vulnerabilities based on their severity and assigns an asset risk score, so I can focus on the critical ones first. The greater the score, the more vulnerable and risky the assets are. I can prioritize the assets directly from the UI. It doesn't take any skill to evaluate the risk. 

The VMDR feature is critical because I can permanently see the associated patch in my patch management model when I find a vulnerability. From there, deploying the patch on my assets is a short step. I don't need to do manual work.

There is room for improvement in terms of adding more patches. Not all patches are available for deployment on Qualys Patch Management, so collaborating with various vendors to provide new patches would be beneficial.

We have used Qualys for four years. 

I rate Qualys' stability eight out of 10. 

I rate Qualys eight out of 10. They're great. Customer service is responsive to feature requests. They'll add something if it's valuable and many users ask for it. 

Positive

We have used BigFix before, which was just a patching tool. You can push all patches through the case, but it doesn't have the same features or UI Qualys has. 

Deploying Qualys was slightly challenging due to the internal IT processes rather than any shortcomings from Qualys. It took us about two months. We had a team from both the security and IT departments involved in the deployment. Two or three people were from security, while approximately six were from the IT team, including networking and server teams.

Qualys is fairly priced. 

If Qualys can provide all patches and the ability to deploy custom patches, it would make them unbeatable.

Qualys Patch Management is used to address and remediate server vulnerabilities. It provides a dashboard with information on remediation steps, vulnerability severity, impact, and other relevant details. This tool effectively manages and mitigates security vulnerabilities, ensuring the security of our infrastructure.

Qualys Patch Management provides visibility into our infrastructure's security vulnerabilities, enabling us to demonstrate to external auditors that our infrastructure is secure and vulnerabilities are mitigated. This has strengthened our security posture and significantly improved our overall security.

The TrueRisk automation helps us remediate vulnerabilities without involving our security team.

Qualys Patch Management provides a single source for asset and vulnerability monitoring, allowing us to view remediation status and severity levels from a centralized dashboard.

It is user-friendly and easy to learn, even for someone without experience, enabling them to master the tool within four days.

Qualys Patch Management has helped reduce our organization's risk by 70 to 80 percent.

The most valuable feature is the ability to search for vulnerabilities using their QID. This provides comprehensive information, including severity, CVE, and impact, in an informative dashboard. This allows for a clear understanding of the scope of the infrastructure affected and the specific servers impacted.

The Qualys agent sometimes encounters authorization issues, leading to inaccurate vulnerability reports. Additionally, server updates cause duplicate assets to appear, hindering accurate asset identification.

I have been using Qualys Patch Management for approximately two and a half years.

I would rate the stability of Qualys Patch Management as nine out of ten.

I would rate the scalability of Qualys Patch Management as eight out of ten.

Qualys' technical support is good. We raised some issues, and their response was quick and effective, resolving everything on time.

Positive

The initial setup for one or two servers was straightforward and did not take much time. It was set up before I joined the organization, so my direct experience with a larger-scale setup is limited.

I would rate Qualys Patch Management eight out of ten.

We have three environments: production, development, and QA. To perform patching, we must coordinate with the application team and schedule downtime. Due to the critical nature of the business application running on the production servers, we cannot automate patching; instead, we use satellite servers.

Our organization has between 20 and 30 people who use Qualys Patch Management.

In the two and a half years I've used Qualys Patch Management, I haven't observed any need for maintenance on the tool.

Qualys Patch Management is a valuable tool for large organizations seeking to maintain a secure infrastructure.