Qualys Patch Management Reviews

My name is Gift Denison Djemeda, and I stay in Botswana, a country in Southern Africa, where my full title is a Vulnerability Management Specialist, focusing on vulnerability management and infrastructure patching.

I have been working in this field for about three years in the vulnerability management space, but before that, I worked as an infrastructure specialist.

My main role within the vulnerability management space in Qualys Patch Management involves relying on it as one of the core tools; my responsibility involves not just running patches but ensuring that vulnerabilities are reduced in a measurable and sustainable way across the environment, with a key focus on understanding the gap between detection and remediation, where the real challenge lies in ensuring patches are correctly matched to assets and deployed successfully.

Qualys Patch Management has enabled us to quickly patch devices when it comes to zero-day vulnerabilities; for instance, when there was a vulnerability for a software called SAP, we were able to write a script to forcefully push a patch and change some registry keys immediately to resolve that particular vulnerability before any attacker could take advantage of the situation.

On a day-to-day basis, I take a proactive approach by conducting training sessions for both end-users and engineers, as Qualys Patch Management is not only a patch management tool but also a vulnerability management scanner that continuously scans the environment across all live devices, allowing us to see different vulnerabilities and alerts that keep us on our toes.

Since implementing Qualys Patch Management, we have seen measurable improvements in remediation speed, reducing our patch turnaround time significantly from four weeks with a compliance of about 60% to about 24 to 48 hours for critical vulnerabilities with an average vulnerability count per device down to around 10.

One of the best features Qualys Patch Management offers is the detection and remediation capability, which allows us to detect devices and remediate them regardless of whether they are within the local network or any other network.

The remote remediation capability has significantly supported my team by allowing us to reduce remediation time and stay ahead of potential threats, improving consistency across all devices regardless of location despite facing challenges with patch-to-asset mismatches.

Among the features in Qualys Patch Management, automation and scheduling stand out for me as they minimize manual efforts significantly, coupled with patch validation and reporting that reinforces audit readiness and compliance, as well as granular targeting capabilities that prioritize critical systems without disrupting business.

Qualys Patch Management has positively impacted our organization mainly by improving how quickly and effectively we reduce vulnerabilities, where features such as remote deployment eliminate the dependency on users being physically present to push critical patches, and strengthening our overall security posture by integrating patching with vulnerability data.

While Qualys Patch Management is a powerful tool, there are areas for improvement, such as enhancing patch-to-asset accuracy, improving deployment feedback and error visibility, optimizing bandwidth and performance, enhancing reporting customization and dashboards, expanding application coverage, and ensuring deeper integration with ITSM or other tools.

I have been using Qualys Patch Management for about three years now.

Qualys Patch Management is stable and easy to use.

Qualys Patch Management is extremely scalable, capable of covering our organization's more than 4,000 endpoints.

Customer support can improve in terms of response time, though I have established relationships with some engineers who respond adequately.

Previously, we used SCCM as our patch management tool, which mainly focused on Microsoft patches, prompting our switch to Qualys Patch Management for its broader application support.

I have seen a significant return on investment from the automation involved with Qualys Patch Management, reducing the number of personnel needed from ten to as few as two or five, cutting costs and providing significant resource savings.

The setup cost for Qualys Patch Management was manageable since it was handled in-house, and while the pricing could be a bit cheaper, it remains reasonable.

In evaluating options before choosing Qualys Patch Management, we compared it with InTune and chose Qualys Patch Management for its comprehensive support for third-party applications.

For those looking into using Qualys Patch Management, I recommend it because it supports a wider range of applications beyond just Microsoft, offering a more comprehensive patch management solution. I have given this review a rating of 8.

Qualys Patch Management is integrated with the vulnerability management solution itself, making it more useful and automated. While using the vulnerability management product, we come across all the vulnerabilities and the major issue which comes after the vulnerability scanning is the remediation part and the patching and fixing of the vulnerability. Qualys Patch Management helps significantly in this regard. We get asset visibility and prioritization, which aids us considerably.

The best part about Qualys Patch Management is the asset visibility which is very precise, and there are fewer false positives based on my experience. You can schedule it and automate the patching itself. The audits and compliance part, the reporting part, can be easily shared with management and for audits. This part is also taken care of by Qualys Patch Management. We have also integrated it with the vulnerability management solution, so it helps us in that way.

Qualys Patch Management's risk-based approach is a strong feature because when we get the vulnerabilities and the risk posture through the risk matrix, we can prioritize and automate the patching itself. We prioritize patches according to the risk matrix, allowing us to schedule the patches, test them, account for downtime, and deploy the patches efficiently. This approach helps significantly.

Qualys Patch Management gives me a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated. This powerful feature provides visibility of all the assets, allowing us to know the attack surface and accordingly prioritize the different patches.

Room for improvement in Qualys Patch Management would generally be in fixing some bugs that I encounter most of the time. The change management feature causes some difficulty.

With the change management in Qualys Patch Management, when I schedule processes, it becomes complex sometimes because we have not integrated it properly. Otherwise, there are mostly just a few false positives. Generally speaking, most issues are operational-based criteria and we receive support to fix issues.

I have been working with Qualys Patch Management for around ten months.

Qualys Patch Management is a stable solution, much more stable than other solutions due to its cloud-native aspect and the quality of support.

Qualys Patch Management is scalable, although you have to purchase licenses for that.

I would rate the scalability of Qualys Patch Management an eight.

I would rate the technical support of Qualys as good compared to other vendors; I would rate it between eight or nine.

Positive

The pricing for Qualys Patch Management is not cheap, but I think it is efficient and reasonable as per market standards for a good international standard vulnerability management and patch management solution.

Qualys Patch Management is definitely better than other OEMs out there. The only challenge I face with some clients is the cloud-based aspect of Qualys. It is a fully cloud-based SaaS solution, and sometimes organizations, such as government organizations, prefer on-premises solutions, making Qualys not an option for them. Otherwise, Qualys Patch Management is the best solution if organizations are comfortable with cloud deployments.

Adding Qualys Patch Management on top of an existing solution helps as you can track vulnerabilities in the same console and prioritize the patches to be fixed. You can schedule the patches in the same way, and risk prioritization aids in effectively scheduling all the patches at the same place. We get reporting as well, which helps because earlier, I had to coordinate with different ops teams for patching and fixing vulnerabilities, which was complex. Now, that whole part is seen by a single team, managing vulnerability and patching together.

I mostly have Qualys Patch Management deployed with scanners and agents, along with three locations where different scanners and agents are applied as per requirement. It is a simple deployment.

My overall rating for Qualys Patch Management is eight.

I would recommend Qualys Patch Management to other users if they want more efficiency in their vulnerability and patch management. If they want to automate processes, reduce workload, and are comfortable with cloud deployments, this solution offers fewer bugs and superior reporting. Integration can be done with ITSM, and VM and VMDR can also be utilized. Risk prioritization is another strong benefit, along with fewer false positives. Qualys Patch Management is a robust solution in my opinion.

I have experience using Qualys because I'm a pre-sales engineer in one of the systems integrator companies here in the Philippines. I am also handling and selling Qualys, doing presentations to our clients.

I have already tried using Qualys Patch Management and VMDR together. Qualys Patch Management is under Qualys VMDR, which first performs asset management by gathering and enrolling the assets needing protection or scanning in the IT infrastructure. Once those devices or endpoints are enrolled in Qualys VMDR, they become visible in Qualys Patch Management tab, allowing you to define and see which assets need patching and the patches that need to be deployed.

Qualys Patch Management is a vulnerability management solution that is competitive to other solutions in vulnerability management because it has Patch Management built in. It doesn't need a third party to do the patching itself. What I like most about Qualys Patch Management is that Qualys provides a dashboard showing the patches at a glance, the devices needing to be patched, and the jobs for creating and deploying patches. You can deploy a patch to one device or to multiple devices simultaneously. Additionally, Qualys Patch Management has a rollback plan and provides error codes if the patches do not push through, helping the end user or client understand why the patch failed and what their next steps should be.

TrueRisk Automation is the scoring system uniquely used by Qualys for devices with vulnerabilities. TrueRisk gathers data from asset tagging, allowing you to tag your assets from one to five levels of criticality. For example, tagging a device as level five indicates it is critical due to its role as a database or server. TrueRisk also considers the detection score of vulnerabilities and the impact they pose. With this information, it creates the TrueRisk scoring system visible in Qualys GAV or Qualys CSAM, helping prioritize devices based on risk.

Qualys Patch Management combined with Qualys VMDR integrates solutions into one system, offering a single source of truth for assets and vulnerabilities needing assessment and remediation. You can easily deploy patches to enrolled devices without relying on a third-party solution like SCCM or Microsoft Intune.

Qualys should improve by offering a dedicated testing environment for patches, allowing clients to test patches before deploying them to production. Currently, clients must manage this themselves, creating challenges and difficulties when deploying patches, as a testing environment would simplify the process.

I last used it this year in July.

It's normal for applications including Qualys Patch Management to experience some errors and lagging. These issues are not frequent but do happen occasionally, requiring users to refresh their browsers to verify deployment status.

Qualys Patch Management is very scalable. You can enroll more devices as your license permits. For instance, if you start with 128 devices and later expand to 500, it remains scalable as long as you have the necessary subscriptions.

I have contacted technical support regarding Qualys Patch Management. There are challenges due to language barriers with some agents, but they provide effective support via email. Communicating technical issues can be difficult over the phone, but they respond proactively to email inquiries.

The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues.

Positive

I have less experience with Tenable, which doesn't provide Qualys Patch Management but offers an unlimited scan option. Although they have comparable vulnerability checks and recommendations, Tenable lacks a Qualys Patch Management feature.

The initial deployment of Qualys Patch Management is very easy. Users should understand how to manage bundle or multiple deployments on specific devices. Qualys has options that allow you to select patches for many endpoints simultaneously, streamlining the deployment process.

The pricing of Qualys is promising, but I don't have the specifics. Based on my experience, both Qualys and Tenable have similar price points, but clients choose based on whether they need a comprehensive Qualys Patch Management solution or an alternative.

The risk-based approach is essential. When you enroll devices, Qualys automatically identifies vulnerabilities, focusing on reducing risks to your company, not just patching browsers or applications but also addressing outdated software and misconfigurations. Collecting this data allows for automated and prioritized patching based on risk.

I have used Qualys Patch Management for just one year, but I have handled many clients during that specific time period. We always do proof of concept and demonstrations to our clients, so I believe I can deliver more details regarding Qualys Patch Management.

I have used the Risk Reduction Recommendation Report. There are several types of reports in Qualys, including technical reports and managerial or CEO reports. Qualys offers comprehensive reports detailing vulnerabilities, recommendations, next action plans, and risk reductions, along with insights into potential MITRE attacks. This information allows clients to fortify their systems and reduce attack risks.

I haven't integrated Qualys Patch Management with any CMDB or ITSM tools for ticket management yet, but I believe Qualys Patch Management cannot be integrated with CMDB. However, Qualys CSAM can easily integrate with CMDB without needing an API. It focuses on cybersecurity risks, adding devices to Qualys Patch Management directly from CMDB as long as they have the Qualys agent installed.

It's a best practice to implement Qualys Patch Management alongside vulnerability management as part of the remediation process in Qualys. If clients lack a Qualys Patch Management subscription, the reports can still provide details on vulnerabilities and recommendations. However, we encourage them to add Qualys Patch Management subscription to ease the patching process for their devices.

Maintenance can be challenging, especially if there are bugs or errors in Qualys Patch Management. The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues.

I have resigned from my previous company, but I have the knowledge, skills, and fundamentals in using Qualys. I would rate this product overall as an 8.

We use Qualys Patch Management for monitoring servers and assets whereby we apply vulnerability management and patch management within the company so that we are always in scope when it comes to audits or even securing our systems. With patch management, we deploy automated patches using Qualys Patch Management so that the users do not have to restart their workstations because we also support the Cloud Agent which we have deployed on workstations. This pushes automated patches within our workstations so that they stay up to date. We are avoiding breaches because when there is a vulnerability that is still open, it has to be remediated. If it is not remediated, we put our systems at risk for them being hacked or attackers may gain access to our systems.

The reason why I appreciate Qualys Patch Management is that it makes our job easier. In the olden days, you had to remediate vulnerabilities manually through the IT department, but it was difficult because certain vulnerabilities would not appear on the actual server. With Qualys Patch Management it gives us a clear view on which hole to close and what to look out for. This makes things easier for people who are not technically proficient.

We assess the risk in a way whereby patch management will push automated patches, but only patches that are updates. We provide a report to our clients, which is IT or other clients, regarding which servers have missing patches and which servers have been deployed with patches so that it makes things easier for them to go and patch those servers and restart the servers. On the same day, it will run a scan at a scheduled time. For example, a scan might run around five PM and then an automated report will come up the next morning. If they have remediated the patches, the count goes down and it works in terms of compliance on our side. This makes things easier for both IT and the security side to maintain that balance.

We use Patch Management with Qualys Patch Management VMDR. Qualys Patch Management is the actual tool we are using. It has different modules such as Cloud Agent, a module for VMDR, Vulnerability Management, Detection, and Response. Patches and VMDR go together. You might get a report for vulnerabilities which are patch-related. If they apply patches on their systems, it will remediate the vulnerabilities, but there are certain vulnerabilities that you have to manually remediate because with each vulnerability, it will show you the vulnerability name, the QID, and the CVE number. It has a section for solution on what to do to remediate the vulnerability. Sometimes, based on manual work, you might need to update that specific software, or you might just need to delete it, or you might just need to go to your registry on your server and apply changes based on the solution of that specific vulnerability.

As a security team, we are monitoring Qualys Patch Management platform. We are the forefront for Qualys and then our client will be the IT support department. With Qualys Patch Management, we are making things easier for the IT team to run automated patches through configurations and through agents that have been deployed on servers and workstations. However, sometimes it needs manual intervention from their side in order to remediate vulnerabilities which do not contain updates. Based on TrueRisk, it does work a lot because it will be a hassle when you have to go through vulnerabilities each day and try to remediate vulnerabilities. There are certain vulnerabilities that you cannot remediate. That is when we apply something that we call a dispensation form. The dispensation form works accordingly with IT and security standards based on a vulnerability that cannot be remediated. It is taking a risk of allowing that vulnerability to exist. In case anything happens, you are taking the blame. That is the purpose of the dispensation form.

Qualys Patch Management does give us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

We work together because in today's industry, security and IT have to work alongside each other because they are the owners of the systems. We provide the service to them using tools that will minimize damage and minimize exposure to threats or cyber attacks. We work alongside and it needs to be that way so that we have collaboration because they know their tools, they know what systems they are using. It is their own system. IT is in charge of the systems whereby all employees are using servers. For example, if we have Active Directory, they need to configure that specific server to host an Active Directory, and then everybody has their passwords and usernames. As security, we need to monitor that all users are compliant and there is no malicious activity happening in the background. We inform IT so that they can also be aware and informed with what is happening with their systems. That is why we work alongside together.

The main benefits that we have seen from using Qualys Patch Management come from the SCA module, which is the Security Compliance Assessment. Most companies will always have an audit on a yearly basis, depending on which timeframe, perhaps term one or term four, but they will always have audits. It helps us with the audit so that we are compliant within the industry. By doing so, it gives us more customers and more clientele. We can continue selling the tool to other clients based on what we have worked with.

Qualys Patch Management does help to reduce our organization's risk. We know that all the servers are up to date because we always contain the critical servers such as P1, P2, and P3. It has reduced our risk and made our company life easier with that. We have to provide daily reports using the Patch Management module.

Using Qualys Patch Management, we have seen an improvement in our patch rates. As we provide reports on a daily basis, it does state the raw data from the CSV file and the number of installed patches within a specific server and the number of missing patches. It made a lot of difference because if I have installed two hundred patches and then there are only six missing, the IT department would know and have a clue on which patches to work with on that specific day after providing the report.

To be improved or enhanced in Qualys Patch Management, some patches are not automatically updated. I think I would improve automation whereby it can address something that we might have an issue with regarding reporting. With Patch Management, you have to manually deploy a report and you have to get it manually and it takes more time and space for a user or an employee to click around in it. It would be great to find a tool whereby we can make the patches automated so that it takes raw data on the platform and then it creates a report and sends it to IT directly without us intervening from a human perspective.

I have not seen any missing features yet because the system is quite new. Because it always enhances and always changes, we have to just keep updated with the new versions of Qualys Patch Management and we have to see what are the updates based on that Qualys Patch Management tool. They do send us the new updates and they do send us a message if there is something new that has been added. As a team, we look at it and then we see how we can benefit our company and then we deploy it.

I have been working with Qualys Patch Management for about three years and a couple of months now.

We have not had any crashes, downtime, or stability issues with Qualys Patch Management.

Qualys Patch Management is scalable.

We do log calls to the customer service and technical support teams. Sometimes the platform might give us certain issues whereby, for example, we are trying to pull a report and then it has no data, or a report we pull and then it says it could not fetch more data from the platform. We do log a call and then they tell us that we just have to restart a certain module or restart something so we clear up the old cache data so that we have space. Usually our problem was with Qualys Patch Management reporting, but now it has been fixed. Or accessing the platform, you might get tokens from their side. We get to find out that Qualys Patch Management might be down on that specific day. That is quite a challenge because we cannot run any patches or pull through reports on a certain time. Based on what we would tell them when logging a call to Qualys, they will try to improve their platform so that it becomes more efficient for us.

I rate them an eight because it has to go through a system. When you log a call, then they have to assign it to their engineer, then that is when the engineer will come back to us. Based on how quickly they resolve an issue, I rate them a ten.

Positive

There was no tool that we were using before Qualys Patch Management.

The setup by Qualys, as with any engineer, is manageable as long as you can write a certificate and know the background of how to set it up. It needs the collaboration of maybe a client's systems so that they can gain access to their firewalls and gain access to their certain IPs so that we can ingest Qualys Patch Management to monitor their company systems. That is what we basically need from Qualys.

Measurable benefits for us should exist, but there are people who are assessing those types of benefits. I am the technical person based on Qualys Patch Management. There are other solution architects and people who sold Qualys Patch Management to the clients. They are the ones who have that certain data and know how it benefited us as a company, how much we saved, and how much they upgraded the company. I am just on the technical side of Qualys Patch Management.

As long as we have someone, for example, deploying it for your company, we need to have someone who is technically proficient with the IT system. We need to know which IP we can use, and then you have to open firewall ports for us to gain access and traffic. The tool will ingest to your company and then it will work. It just needs hands-on work. Probably around one hour with a technical person or technical IT person from a different company, and then including us. Also, you need approval of signatures because gaining access to different companies might be a risk. We have to have access signatures and approvals first before we can deploy.

We download a script from us based on what you are using, which is the main server on your company. For example, if your main server is Windows, we download the script for Windows. We send it to you, you run the script on your server and then it will pop up with a Qualys Patch Management page whereby it has configurations. You include IPs, ports, and the systems it has to communicate with such as public IPs and internal IPs. Qualys Patch Management has its own module that is used for deployment.

We purchased licenses through Qualys directly. We need to get in touch with the Qualys salesperson from their side so that they can provide us with an amount of how much that costs and how much it is to manage it. Then as your company, we provide managed services towards them. We buy licenses to deploy it on our side, and then if there is a new client coming in, they buy licenses through us. We then provide managed services to them.

We are the MSP of Qualys.

We are working with the cloud-based Qualys Patch Management product.

We have seen other platforms such as Qispery and other platforms, but we chose Qualys Patch Management based on it being easy and user-friendly. We chose Qualys Patch Management based on that. We have assessed other tools that we can use, but other tools are quite difficult to maintain. With Qualys Patch Management, it had a high number of ratings within the environment of management and the patch environment.

Having this integration and Qualys Patch Management does help us close the tickets faster.

It helps us because, for example, any person can try to access a server or try to access it via brute force. Because that server is managed by Qualys Patch Management and we have an agent deployed, Qualys Patch Management will pick up that server, it will send ingestion to Sentinel, and then it will trigger an incident stating a brute force attempt based on attacking that specific server on Qualys Patch Management. It does work pretty well because as security analysts, we need to make sure that incidents are contained and remediated to avoid breaches. With Qualys Patch Management, it is a form of automation tool that we use to make things easier for both security and IT, and it is managed by us in the security team.

The single source of truth that Qualys Patch Management provides has helped us to reduce costs even though the platform is quite expensive. It helped us to reduce costs because the most dangerous part is if there are any breaches, it costs the whole company and is a business risk. We would rather spend money on that tool even though it might have a little durability challenge, but we spend money on that tool so we keep the whole environment secured. If the business is compromised, everything will be compromised. We would rather invest in a tool that will cover the aspects of the whole company so that even the users and employees are free to work and are okay without looking over their shoulders with vulnerabilities on what to click and the type of website that they are trying to access because we are all working with different browsers and websites.

The advice I would give them is that even after they buy Qualys Patch Management, obviously for the first time, the Qualys technical team will help them navigate the platform. It is mostly important for them to skill up and get resources to write their exams within Qualys Patch Management, which are free as long as you are their partner. You just have to write the exams and get informed about the system. This helps them avoid logging a lot of calls to the technical side. If you are buying that platform and providing an MSP, it will be critical that you have resources within that platform. It will be much easier to maintain it without any challenges.

I rate Qualys Patch Management as a product and solution a nine point five.

My main use case for Qualys Patch Management is to identify vulnerabilities and suggest patches, and I also make use of support automation for policy configuration.

A specific example of how I use Qualys Patch Management in my day-to-day work is that it helps me find critical vulnerabilities in our system and enhance and reduce exposure to unknown exploits, providing us a compliance-driven environment.

I use Qualys Patch Management in finding critical vulnerabilities.

I have been using Qualys Patch Management for over three years now.

The best features that Qualys Patch Management offers include a centralized critical vulnerability and patching dashboard where I can see all the systems that can be fixed, managed, and patched. The centralized dashboard helps me in my daily operations, and I find the cloud-based management feature especially useful as it provides a centralized dashboard that helps manage patches.

I value Qualys Patch Management's automated patch deployment and the ability to reschedule patch deployment easily. Qualys Patch Management has positively impacted our organization by making patch deployment more flexible.

Qualys Patch Management has given us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated, which helps us prioritize patching based on risk and enables our security and IT teams to work seamlessly with automatic identification of vulnerabilities and suggested patches.

I want Qualys Patch Management to improve in the area of patch deployment, making it more flexible with limited control that is needed, and also enhance reporting and visibility.

I want them to work on improving third-party patching support and the performance in large environments, as patch deployment is slow in large environments.

I want them to also work on their error feedback and troubleshooting because patch failure sometimes lacks detailed explanations, and I want them to help administrators resolve issues faster.

I want them to improve in the area of reporting and third-party application coverage.

I have been using the solution for over two years now.

Qualys Patch Management is stable and flexible with its dashboard environment in our distributed environment.

The scalability of Qualys Patch Management is acceptable because it helps me manage patches from a centralized dashboard and works in our distributed environments.

I have great customer support that assists me in the automation of policies, patch deployment, and reducing manual intervention for routine patching.

Positive

I have not tried any other solution aside from Qualys Patch Management.

Using patch management, I have seen an improvement in patch rates, with a significant improvement in patch rate in the last forty-eight hours.

This single source of truth has helped reduce costs for our organization by over seventy percent in return on investment.

I have seen a return on investment, saving significant money for employees, with metrics showing over eighty percent, and we have also saved time for employees and clients.

I have a great experience with the pricing setup of Qualys Patch Management because it provides us a detailed breakdown on how to provide solutions to our clients.

I have not evaluated other options yet because I find Qualys Patch Management very flexible.

My advice to others looking into using Qualys Patch Management is to recognize it as a great platform and tool that integrates with vulnerability management and patch management, helping prioritize patching based on risk and automatic identification of vulnerabilities with suggested patches. I would rate this product a seven overall.

My main use case for Qualys Patch Management is to automate and deploy patches across our enterprise infrastructure, specifically for Windows and Linux servers. I use it to bridge the gap between finding a vulnerability and actually fixing it, creating a unified workflow for the IT and security teams.

This unified workflow helps my IT and security teams work together effectively by ensuring our asset tagging is perfectly organized before using Qualys Patch Management. If your tags are wrong, you might deploy patches to the wrong servers and cause operational impact. I rate the solution an eight out of ten.

The best features Qualys Patch Management offers include excellent scalability, with the Qualys Cloud Agent handling the workload perfectly, even when deploying patches to thousands of assets simultaneously across different locations.

When considering scalability and agent handling, the stability is very good, making my day-to-day work easier and more efficient. Since it is a SaaS platform, we rarely experience downtime that affects our patching window.

Qualys Patch Management has positively impacted my organization by providing the most valuable feature of native integration with Qualys VMDR, allowing my team to identify a critical CVE and deploy the required patch from the exact same dashboard. This eliminates the need to export CSV files to the IT teams and drastically reduces our mean time to remediate.

Qualys Patch Management provides us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated, which has affected how my security and IT teams work together by using VMDR TruRisk Score with aligning devices, asset devices exposed to the internet, internet-facing devices, and exploiting zero-days.

This single source of truth has helped reduce costs for my organization, as we are categorizing patch management with TruRisk Score, utilizing various metrics and the patch catalog, and addressing exposed assets, public exploits, easy exploits, and the criticality score alongside the CVSS score and others.

Qualys Patch Management can be improved by enhancing the reporting capabilities and dashboards since it is difficult to extract customized executive reports for the board. Also, the feedback loop can be slow; sometimes it takes too long for the platform to confirm that an asset was successfully patched and is no longer vulnerable.

I have been using Qualys Patch Management for seven years.

Qualys Patch Management is highly stable, with very good stability and rare downtime affecting our patching windows.

The scalability of Qualys Patch Management is excellent, with the Qualys Cloud Agent handling the workload perfectly, even when deploying patches to thousands of assets simultaneously across different locations.

The customer support for Qualys Patch Management is responsive, with the technical account managers usually helping us quickly when we raise issues with specific patch deployments.

Previously, I relied on traditional tools such as Microsoft SCCM or WSUS. I switched to Qualys Patch Management because traditional tools were siloed and did not understand risk or CVSS. Qualys Patch Management allows me to patch based on actual vulnerability risks, not just IT schedules.

I have seen a return on investment, which is highly positive. I've saved hundreds of hours of manual work for the IT operation teams by automating the deployment of critical patches, and I've reduced our real business exposure to ransomware and exploits.

I evaluated other options before choosing Qualys Patch Management, specifically Microsoft SCCM and WSUS.

My advice for others looking into using Qualys Patch Management is to ensure your asset tagging is perfectly organized before using Qualys Patch Management. If your tags are wrong, you might deploy patches to the wrong servers and cause operational impact. I am rating the solution an eight out of ten.

The primary use case for Qualys Patch Management is to provide a proactive, automated, and data-driven approach for discovering vulnerabilities, prioritizing patching, and ensuring that patches are applied correctly to minimize security risk.

We switched to Qualys Patch Management because it simplifies patch deployment by requiring only an internet connection. Previously, we used an on-premises server with HSCM, which proved challenging for managing remote endpoints. To address this, we deployed cloud agents on all endpoints and servers, allowing Qualys to push patches remotely without needing VPN connectivity.

We have prioritized products for automated patching. This means that whenever a vendor releases a patch, it is seamlessly and robustly applied.

Qualys VMDR detects vulnerabilities and correlates them with relevant patches in the Qualys Patch Management module. Although separate databases, they work together to provide a comprehensive solution for identifying and remediating vulnerabilities. When VMDR detects a vulnerability, it identifies corresponding patches released in the Patch Management module, streamlining the patching process.

Before the pandemic in 2020, we relied on remote scanning, which limited our ability to deploy and manage patches effectively. Our on-premises SCCM server struggled to push patches to remote users relying on VPN. To address this, we deployed the Qualys Cloud Agent on all 360,000 assets in our infrastructure. This provided comprehensive vulnerability detection, unlike the limited results from remote scans. However, the sheer volume of vulnerabilities overwhelmed our SCCM server. Consequently, we collaborated with Qualys to develop a backend solution integrated with the Cloud Agent for seamless patch management. After successful testing and implementation, Qualys Patch Management now efficiently handles patching for Windows, Linux, and macOS devices.

Qualys Patch Management provides a centralized platform for managing assets and vulnerabilities, enabling assessment, prioritization, and remediation. We rely on Qualys for both vulnerability detection and patch deployment.

We initially faced challenges as the IT team was hesitant about Qualys Patch Management, and the deployment of cloud agents revealed millions of vulnerabilities. However, Qualys Patch Management significantly reduced these vulnerabilities, particularly on our Windows machines, which comprise 70 percent of our systems. The team observed a 70 percent remediation rate through scheduled patching, establishing Qualys as a reliable source of truth. Consequently, they shifted from relying on SCCM or Intune to Qualys Patch Management for scheduling patching jobs to meet our five-day SLA. With Qualys publishing QIDs the day after vendor patch releases, automated jobs promptly deploy patches to all machines upon vulnerability detection.

Qualys Patch Management helps lower operational costs and enhances our security posture by reducing vulnerabilities and streamlining compliance efforts.

I have observed an improvement in our patch rate using Qualys Patch Management. Qualys now facilitates over 80 percent compliance within five days, a task that previously required the IT team 12 days to accomplish.

By integrating Patch Management with VMDR, we gain immediate vulnerability detections and leverage TruRisk values to derive our own severity rankings for prioritization. These prioritized vulnerabilities are then addressed using the Qualys Patch Management Module, streamlining our remediation process.

Qualys Patch Management has helped reduce our organizational risk by providing current vulnerability data, including exploitability and active threat information. The platform's live threat feed and risk score enhance the standard CVSS rating by considering factors like active malware association and exploit availability, allowing us to prioritize patching efforts effectively.

Qualys Patch Management offers numerous valuable features, including automatic patching for Google browsers, which allows for scheduled updates immediately upon vendor release. The real-time vulnerability assessment enables prioritized patching and continuous updates on new vulnerabilities. Supporting Windows, Linux, and Mac OS patches in a single solution, Qualys provides flexibility and rollback capabilities, along with integration options for other security tools. Faster remediation is another benefit, with our organization achieving 84 percent patch compliance within five update cycles across 360,000 machines.

Qualys Patch Management system requires several improvements. Firstly, the inability to download asset patches and the lack of third-party application integration limit patch accessibility. Additionally, rollback options are unreliable, and pre-deployment patch testing is crucial. Reporting needs enhancement, particularly with group-based compliance percentages and clearer, VMDR-like reporting in the Patch Management module. Furthermore, detection speed should be improved, as patches are released 24 hours after QIDs are published. The user interface could be more functional, with dashboards for patch compliance visualization and simplified error code language. Finally, the Mac patch catalogue needs expansion, and automated workflows, policy enforcement, and testing procedures should be streamlined for seamless, user-independent operation.

I have been using Qualys Patch Management for four years.

I would rate the stability of Qualys Patch Management as nine out of ten because sometimes issues arise due to our network.

I would rate the scalability of Qualys Patch Management ten out of ten.

The technical support is excellent.

We used SCCM, an on-premises server requiring VPN connectivity, but its remote management challenges during the pandemic led us to adopt Qualys. Qualys facilitated issue detection and patching with only an internet connection.

The initial deployment of Qualys Patch Management was straightforward, requiring only the download of the agent onto all 360,000 machines, a process that took some time, given the number of assets.

Qualys Patch Management has saved significant resources. It provides live data every four hours without manual intervention, saving time. We have a 50 percent return on investment due to reduced operational complexity and increased efficiency in patching and detection.

Qualys Patch Management offers a moderate price point, neither cheap nor expensive, considering its comprehensive functionality. The cost is reasonable in relation to the value and benefits it provides.

I would rate Qualys Patch Management ten out of ten.

Qualys Patch Management is deployed on 360,000 assets across multiple locations and departments, supporting over 300,000 users.

The maintenance is managed by Qualys.

I recommend using Qualys Patch Management for better detection and patch compliance. I have seen improved patch compliance compared to other solutions like SCCM and Intune. For Linux, authentication is available as well, and patch compliance is better. I strongly recommend Qualys.

We previously used native patch management tools like SCCM servers for Microsoft, Linux, and Mac OS. However, with the shift to remote work in 2020, we encountered issues pushing patches through these on-premise servers. To address this, we adopted Qualys Patch Management, leveraging their cloud agents that are already in place. This simplified patch deployment, allowing us to push patches directly from the Qualys cloud platform, eliminating the need for on-premise servers and VPN connections, which often caused bandwidth congestion and patch deployment failures. 

Qualys Patch Management only requires an internet connection, significantly improving our patching efficiency and overcoming previous challenges with large patch sizes and network limitations.

Qualys Patch Management employs a risk-based approach to automation, utilizing the TruRisk feature within the Qualys VMDR module. TruRisk assesses the security posture of infrastructure by considering asset criticality and assigning a Qualys detection score to each vulnerability. This combination generates a TruRisk score for each asset, enabling the identification of critical assets such as crown jewels or public-facing systems. By categorizing assets based on criticality, users can prioritize vulnerability remediation directly from the VMDR interface. This prioritization seamlessly integrates with Qualys Patch Management, allowing for efficient patch deployment by clicking the Patch Now option in VMDR.

Qualys Patch Management and VMDR are seamlessly integrated, enabling direct communication between them. Patch Management obtains necessary vulnerability and missing patch data directly from the VMDR interface. Both modules rely on the Qualys Cloud Agent to gather complete vulnerability information from VMDR. This integration allows for direct patch deployment through either VMDR or Patch Management.

The COVID-19 pandemic significantly increased cyberattacks on organizations due to the shift to remote work and the resulting expansion of vulnerable attack surfaces. Employees connecting to company networks from home created security gaps that cybercriminals exploited, particularly with ransomware. To mitigate this, organizations adopted proactive measures like using Qualys Patch Management to quickly deploy patches and updates, addressing vulnerabilities, and protecting against attacks without relying on scheduled downtime.

We use the TruRisk scoring mechanism, which ranges from zero to 1,000, to assess and prioritize vulnerabilities. This score is based on Qualys-defined ranges for severity levels, critical, high, medium, low, and our asset criticality scoring. We categorize assets by creating tags for groups belonging to different organizational entities and assign criticality scores to those tags. By combining the asset criticality score with the Qualys detection score provided on a QID basis for each vulnerability, we calculate the TruRisk score. This allows us to identify the number of assets with critical or high-severity vulnerabilities and prioritize remediation efforts.

We have used Qualys Patch Management for four years, but our organization has used Qualys for over 12 years. In that time, I've also used other leading scanning vendors like Tenable and Rapid7. Compared to those, Qualys more accurately detects vulnerabilities due to its cloud agent. This agent, installed on the end asset, reads complete metadata, including the registry and other areas, to identify vulnerable software versions. For example, if an application vulnerability is identified, we can check the asset's installed programs. Even if the software isn't found there, Qualys provides the path where the vulnerable version is detected, often revealing remnant files. These files, left behind even after uninstallation, can be exploited by attackers. Qualys detects these remnants, ensuring accurate vulnerability identification, even if the software appears to be absent from the endpoint.

Although Qualys may be more expensive than other vulnerability scanning tools, its accuracy and effectiveness justify the cost. While alternatives like Tenable Professional offer unlimited IP scanning at a lower price, Qualys provides superior vulnerability detection. This leads to a good return on investment by minimizing security breaches and associated costs, such as reputational damage and compromised client data. Ultimately, Qualys increases stakeholder confidence by providing a high level of protection against cyberattacks.

We previously used a native patch management solution, which resulted in consistently low patch compliance. Achieving even 80 percent compliance often took an entire month, by which time Microsoft would release new security patches. Despite the challenge of maintaining high patch compliance across our extensive infrastructure, with Qualys Patch Management, we now achieve 75 to 80 percent compliance within the first week and 90 to 95 percent within two weeks of patch release. Consequently, our monthly patch compliance consistently exceeds 95 percent.

We augmented our existing vulnerability management solution by adding Qualys Patch Management. Before 2020, we relied solely on Qualys VMDR and other modules. Subsequently, we transitioned to Qualys Patch Management for most patching tasks, although we still utilize Microsoft Intune and SCCM for Microsoft OS assets. Qualys Patch Management leverages vulnerability feeds from the VMDR module, allowing us to identify vulnerabilities missing Qualys patches. Using Qualys Query Language queries within the Qualys interface, we can pinpoint assets with missing patches by searching for Qualys missing patches. This capability enables us to prioritize vulnerability remediation through Patch Management, supplementing our broader vulnerability management strategy.

Installing patches on end assets requires a reboot to take effect, and without it, vulnerabilities remain. Qualys Patch Management offers a valuable feature that allows for deferred reboots, giving users control while still ensuring eventual patching. This feature provides flexibility and reduces disruption. Additionally, a forced reboot option can be implemented via script to ensure all assets are regularly updated, eliminating the need for user intervention. The interface provides a clear view of patch job statuses, including failures and their reasons. It also displays missing patches by QID, allowing for easy identification and one-click patching. This streamlines the patching process and improves overall efficiency.

Currently, there are limitations in downloading patch jobs to view all associated assets and patch statuses. This issue has been raised with Qualys, who may be working on a feature request to address it. While generally satisfied with the Qualys Patch Management interface, another challenge is that some third-party applications, like Oracle, require a license for redirection to their website and subsequent patch access. This authentication requirement blocks some patches from being pushed through Qualys, leaving them in a locked state. This issue, however, only affects a few applications, as most do not require a license for patch access.

I have used Qualys Patch Management since 2020.

I would rate the stability of Qualys Patch Management nine point five out of ten, with minimal latency or other issues. Any observed latencies typically stem from our internal network rather than the cloud platform.

I would rate the scalability of Qualys Patch Management ten out of ten.

The support is robust and available around the clock. We have been provided with clear escalation points of contact, ensuring timely responses and resolution for any issues.

Positive

Before 2020, Microsoft SCCM and Intune were our primary tools for patching Microsoft assets. However, to improve compliance rates and manage third-party application patches more effectively, we transitioned to Qualys Patch Management.

We easily deployed Qualys Patch Management. Previously, security concerns discouraged cloud-based data storage. However, with robust cloud security controls in place, we confidently utilize this cloud-based module.

Implementation involved our internal IT team, who manage the operations of pushing patches.

The return on investment from Qualys Patch Management is significant because a security breach can severely damage an organization's reputation and lead to loss of business. Therefore, we are completely satisfied with the ROI from our investment in the Qualys Patch Management module.

Pricing for Qualys Patch Management is moderate.

Other solutions evaluated include Tenable and Rapid7, but Qualys Patch Management stood out for its accuracy and detection capabilities.

I would rate Qualys Patch Management eight out of ten.

We investigated integrating Qualys Patch Management with our current configuration management database but found that integration is not supported due to a lack of API access. However, we plan to migrate to ServiceNow soon, allowing us to integrate our CMDB or asset management system with Qualys. This integration will improve visibility by enabling us to identify asset owners and remediate vulnerabilities quickly. We expect to complete this migration within the next few months.

Our clients utilize various off-site data centers with distinct networks, including DMZs and intranets, resulting in multiple operational areas. We possess many assets within these networks, exceeding 300,000, and we rely entirely on Qualys Patch Management for their maintenance. We have around 70 team members that utilize the solution.

Patch Management is entirely maintained by Qualys.

I would definitely recommend Qualys Patch Management. Detecting vulnerabilities alone isn't enough; a robust patch management tool is essential for securing an organization.