Qualys Patch Management Reviews

I have been using elements of Qualys for about six or seven years throughout my career, not necessarily Total Cloud, but overall in my experience. At the moment, Total Cloud is something that is on the roadmap for where I work currently, but it is not something we have yet used with any of our clients. We have used Qualys for a long time, specifically their CSAM modules, VMDR, policy compliance, patching pieces, and similar offerings.
Normally, we use Qualys for clients who want us to identify exposures on assets that perhaps cannot have cloud agents on, such as switches, routers, and firewalls, or for coverage of IP ranges if they are unsure about having agent-based scanning.
We have a client for whom we provide a managed service using VMDR and CSAM, and they purchased Qualys Patch Management from us. We do not do any patching for them, but we align everything up with the managed service from VMDR and CSAM, so they can have a clear view of what they can auto-patch and what they need to focus on manually. They press the button, and we line it up for them.
We have tried integrating with CMDB and ITSM tools for ticket management. In my previous organization, we used Qualys for about five or six years, and now in my current organization, we have only been using them for about six months. One constraint here is ServiceNow development, as we only have one ServiceNow engineer, which slows down the development necessary to provide our clients that one view and portal. Qualys has the capability to send tickets directly from the Qualys subscription to the client's ITSM tool, whether that is ServiceNow or even to channels such as Slack. We have been using that as an interim solution to get tickets to our clients while sorting out the ServiceNow development on our side.

I would not refer to the Virtual Scanner as a solution, but rather as something that makes our solutions work. The Virtual Scanner Appliances act as appliances to collect the data for organizations like the one I work for, enabling us to provide managed services to our clients. The capabilities and the things you can do with the Virtual Scanner Appliances are great; you can use the same appliance for multiple different modules without needing to install five appliances for five different Qualys modules, which is obviously beneficial.
I appreciate the fact that you can schedule the patches as well, which, although it sounds basic, is really helpful. If many clients have to do something out of hours, we do not necessarily have to have teams online at unusual hours; we can schedule things to run, which is really useful for us.

There is not really anything I dislike about Qualys Patch Management for obvious reasons, but there are no rollback capabilities. If a change or patch causes an issue or does not have the desired effect, then someone needs to manually revert that patch. If there was something that could automatically recognize that and roll it back or if we just needed to press a button in the Qualys Patch Management portal to roll something back, that would be really useful.
I think it would be useful to have some kind of industry comparison or increased exploit intelligence of elements that currently have a focus from attack vectors. Qualys does bits of that, but I believe some other technologies do it better, so getting up to that level would be really useful.
However, I think there are potentially other things Qualys could do with TruRisk to help us prioritize even further.

I rate Qualys Patch Management a ten based on my experiences with it.

I have never experienced any downtime, lagging, or other issues with stability across any of their modules throughout the six or seven years that I have used Qualys.

Qualys is really flexible regarding scalability. For example, if a client has purchased licensing for ten thousand assets and exceeds that, Qualys continues to scan those additional assets, which ensures the client's coverage. As an MSP provider, we have discussions with the client about exceeding their licenses and whether they need to purchase more. The valuable aspect is that Qualys continues to scan those additional assets, showing our concern for their protection instead of prioritizing profits.

I have contacted Qualys technical support.
I think the quality and speed of their support varies. Generally, I would say ninety-eight percent of the time, someone gets back to us the same day, and they jump on a call with us, especially if a client is involved. However, I remember a time in my previous role where technical support was horrendous for one client with responses that were extremely delayed, sometimes weeks, which was the two percent that let them down. Otherwise, I believe they have one hundred percent for their technical support.

The deployment of Qualys is pretty easy, to be honest. The client informs us of the operating system on the asset, and we download a cloud agent image, send it to the client with the installation command, and it quickly starts communicating with the Qualys subscription. The time-consuming part is when the client has to find the time to install it on their assets.
The initial deployment of Qualys Patch Management was easy since you need to have a cloud agent to use the module, and by that point, you already need to have data in the Qualys subscription. We had already deployed the applicable cloud agents and were gathering the data needed to use Qualys Patch Management.

I put the commercials together for Qualys Patch Management, and I think it is reasonable. It operates on volume-based discounting and is priced per module. However, it can be a bit expensive sometimes, and I think clients can be shocked when they see the price. Although we include it with our managed service, the bulk of our managed service price to clients is the licenses. This makes it challenging for clients with fewer than one hundred assets, as the pricing ends up being more costly than the return. That said, compared to other technologies we use that cover fewer areas, the value of Qualys becomes more apparent.

The Risk Reduction Recommendation Report has indeed helped me see which vulnerabilities would reduce the most risk within our organization and system. We use this intelligence in the tailored remediation plan for our clients, helping them understand the potential impact and critical areas, even if they do not have time to fix every single vulnerability. By focusing on low-hanging fruit and using that risk report, we can provide clearer guidance on where to direct their efforts.
I think the TruRisk system and the TruRisk automation are great. They provide a more accurate view of what the impact to a client is based on whether it is a critical asset or the exposures involved. This helps us as a managed service provider prioritize more effectively based on what has the most potential to impact the client.
The risk-based approach of Qualys Patch Management feeds into what I was saying before. You want to mitigate the issues that impact an organization the most. Being able to use Qualys Patch Management to get rid of those low-hanging fruit allows us to focus on the riskier assets and areas of compromise, either deploying patches with Qualys Patch Management or manually patching critical assets.
We do not provide a full managed service around Qualys Patch Management at the moment because there are many risks that come with that for the company I work for. However, we use Qualys's other modules to lead up to auto-patching for a client. We align everything up for them, and then they just have to press the button, which gets rid of about ninety percent of their vulnerabilities, leaving the critical areas or the issues that could cause a problem if patched for them to focus on. This really helps reduce the complexity for the client and assists them in focusing their efforts on more significant mitigation activities rather than spending a lot of time on basic business as usual Patch Tuesday tasks.
Currently, Qualys Patch Management does not require any maintenance on my end since we do not provide a managed service wrap around it. For now, it is a bit like a license resale; we align everything up to be ready for the client to use with Qualys Patch Management, and then they just click the go button. The elements of Qualys Patch Management are mainly managed by the client rather than by us at this point, but everything leading up to that is managed by us. I rate this product overall a ten based on my experiences with it.

My name is Gift Denison Djemeda, and I stay in Botswana, a country in Southern Africa, where my full title is a Vulnerability Management Specialist, focusing on vulnerability management and infrastructure patching.

I have been working in this field for about three years in the vulnerability management space, but before that, I worked as an infrastructure specialist.

My main role within the vulnerability management space in Qualys Patch Management involves relying on it as one of the core tools; my responsibility involves not just running patches but ensuring that vulnerabilities are reduced in a measurable and sustainable way across the environment, with a key focus on understanding the gap between detection and remediation, where the real challenge lies in ensuring patches are correctly matched to assets and deployed successfully.

Qualys Patch Management has enabled us to quickly patch devices when it comes to zero-day vulnerabilities; for instance, when there was a vulnerability for a software called SAP, we were able to write a script to forcefully push a patch and change some registry keys immediately to resolve that particular vulnerability before any attacker could take advantage of the situation.

On a day-to-day basis, I take a proactive approach by conducting training sessions for both end-users and engineers, as Qualys Patch Management is not only a patch management tool but also a vulnerability management scanner that continuously scans the environment across all live devices, allowing us to see different vulnerabilities and alerts that keep us on our toes.

Since implementing Qualys Patch Management, we have seen measurable improvements in remediation speed, reducing our patch turnaround time significantly from four weeks with a compliance of about 60% to about 24 to 48 hours for critical vulnerabilities with an average vulnerability count per device down to around 10.

One of the best features Qualys Patch Management offers is the detection and remediation capability, which allows us to detect devices and remediate them regardless of whether they are within the local network or any other network.

The remote remediation capability has significantly supported my team by allowing us to reduce remediation time and stay ahead of potential threats, improving consistency across all devices regardless of location despite facing challenges with patch-to-asset mismatches.

Among the features in Qualys Patch Management, automation and scheduling stand out for me as they minimize manual efforts significantly, coupled with patch validation and reporting that reinforces audit readiness and compliance, as well as granular targeting capabilities that prioritize critical systems without disrupting business.

Qualys Patch Management has positively impacted our organization mainly by improving how quickly and effectively we reduce vulnerabilities, where features such as remote deployment eliminate the dependency on users being physically present to push critical patches, and strengthening our overall security posture by integrating patching with vulnerability data.

While Qualys Patch Management is a powerful tool, there are areas for improvement, such as enhancing patch-to-asset accuracy, improving deployment feedback and error visibility, optimizing bandwidth and performance, enhancing reporting customization and dashboards, expanding application coverage, and ensuring deeper integration with ITSM or other tools.

I have been using Qualys Patch Management for about three years now.

Qualys Patch Management is stable and easy to use.

Qualys Patch Management is extremely scalable, capable of covering our organization's more than 4,000 endpoints.

Customer support can improve in terms of response time, though I have established relationships with some engineers who respond adequately.

Previously, we used SCCM as our patch management tool, which mainly focused on Microsoft patches, prompting our switch to Qualys Patch Management for its broader application support.

I have seen a significant return on investment from the automation involved with Qualys Patch Management, reducing the number of personnel needed from ten to as few as two or five, cutting costs and providing significant resource savings.

The setup cost for Qualys Patch Management was manageable since it was handled in-house, and while the pricing could be a bit cheaper, it remains reasonable.

In evaluating options before choosing Qualys Patch Management, we compared it with InTune and chose Qualys Patch Management for its comprehensive support for third-party applications.

For those looking into using Qualys Patch Management, I recommend it because it supports a wider range of applications beyond just Microsoft, offering a more comprehensive patch management solution. I have given this review a rating of 8.

On-premises

Qualys Patch Management is integrated with the vulnerability management solution itself, making it more useful and automated. While using the vulnerability management product, we come across all the vulnerabilities and the major issue which comes after the vulnerability scanning is the remediation part and the patching and fixing of the vulnerability. Qualys Patch Management helps significantly in this regard. We get asset visibility and prioritization, which aids us considerably.

The best part about Qualys Patch Management is the asset visibility which is very precise, and there are fewer false positives based on my experience. You can schedule it and automate the patching itself. The audits and compliance part, the reporting part, can be easily shared with management and for audits. This part is also taken care of by Qualys Patch Management. We have also integrated it with the vulnerability management solution, so it helps us in that way.

Qualys Patch Management's risk-based approach is a strong feature because when we get the vulnerabilities and the risk posture through the risk matrix, we can prioritize and automate the patching itself. We prioritize patches according to the risk matrix, allowing us to schedule the patches, test them, account for downtime, and deploy the patches efficiently. This approach helps significantly.

Qualys Patch Management gives me a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated. This powerful feature provides visibility of all the assets, allowing us to know the attack surface and accordingly prioritize the different patches.

Room for improvement in Qualys Patch Management would generally be in fixing some bugs that I encounter most of the time. The change management feature causes some difficulty.

With the change management in Qualys Patch Management, when I schedule processes, it becomes complex sometimes because we have not integrated it properly. Otherwise, there are mostly just a few false positives. Generally speaking, most issues are operational-based criteria and we receive support to fix issues.

I have been working with Qualys Patch Management for around ten months.

Qualys Patch Management is a stable solution, much more stable than other solutions due to its cloud-native aspect and the quality of support.

Qualys Patch Management is scalable, although you have to purchase licenses for that.

I would rate the scalability of Qualys Patch Management an eight.

I would rate the technical support of Qualys as good compared to other vendors; I would rate it between eight or nine.

Positive

The pricing for Qualys Patch Management is not cheap, but I think it is efficient and reasonable as per market standards for a good international standard vulnerability management and patch management solution.

Qualys Patch Management is definitely better than other OEMs out there. The only challenge I face with some clients is the cloud-based aspect of Qualys. It is a fully cloud-based SaaS solution, and sometimes organizations, such as government organizations, prefer on-premises solutions, making Qualys not an option for them. Otherwise, Qualys Patch Management is the best solution if organizations are comfortable with cloud deployments.

Adding Qualys Patch Management on top of an existing solution helps as you can track vulnerabilities in the same console and prioritize the patches to be fixed. You can schedule the patches in the same way, and risk prioritization aids in effectively scheduling all the patches at the same place. We get reporting as well, which helps because earlier, I had to coordinate with different ops teams for patching and fixing vulnerabilities, which was complex. Now, that whole part is seen by a single team, managing vulnerability and patching together.

I mostly have Qualys Patch Management deployed with scanners and agents, along with three locations where different scanners and agents are applied as per requirement. It is a simple deployment.

My overall rating for Qualys Patch Management is eight.

I would recommend Qualys Patch Management to other users if they want more efficiency in their vulnerability and patch management. If they want to automate processes, reduce workload, and are comfortable with cloud deployments, this solution offers fewer bugs and superior reporting. Integration can be done with ITSM, and VM and VMDR can also be utilized. Risk prioritization is another strong benefit, along with fewer false positives. Qualys Patch Management is a robust solution in my opinion.

Hybrid Cloud

Other

I have experience using Qualys because I'm a pre-sales engineer in one of the systems integrator companies here in the Philippines. I am also handling and selling Qualys, doing presentations to our clients.

I have already tried using Qualys Patch Management and VMDR together. Qualys Patch Management is under Qualys VMDR, which first performs asset management by gathering and enrolling the assets needing protection or scanning in the IT infrastructure. Once those devices or endpoints are enrolled in Qualys VMDR, they become visible in Qualys Patch Management tab, allowing you to define and see which assets need patching and the patches that need to be deployed.

Qualys Patch Management is a vulnerability management solution that is competitive to other solutions in vulnerability management because it has Patch Management built in. It doesn't need a third party to do the patching itself. What I like most about Qualys Patch Management is that Qualys provides a dashboard showing the patches at a glance, the devices needing to be patched, and the jobs for creating and deploying patches. You can deploy a patch to one device or to multiple devices simultaneously. Additionally, Qualys Patch Management has a rollback plan and provides error codes if the patches do not push through, helping the end user or client understand why the patch failed and what their next steps should be.

TrueRisk Automation is the scoring system uniquely used by Qualys for devices with vulnerabilities. TrueRisk gathers data from asset tagging, allowing you to tag your assets from one to five levels of criticality. For example, tagging a device as level five indicates it is critical due to its role as a database or server. TrueRisk also considers the detection score of vulnerabilities and the impact they pose. With this information, it creates the TrueRisk scoring system visible in Qualys GAV or Qualys CSAM, helping prioritize devices based on risk.

Qualys Patch Management combined with Qualys VMDR integrates solutions into one system, offering a single source of truth for assets and vulnerabilities needing assessment and remediation. You can easily deploy patches to enrolled devices without relying on a third-party solution like SCCM or Microsoft Intune.

Qualys should improve by offering a dedicated testing environment for patches, allowing clients to test patches before deploying them to production. Currently, clients must manage this themselves, creating challenges and difficulties when deploying patches, as a testing environment would simplify the process.

I last used it this year in July.

It's normal for applications including Qualys Patch Management to experience some errors and lagging. These issues are not frequent but do happen occasionally, requiring users to refresh their browsers to verify deployment status.

Qualys Patch Management is very scalable. You can enroll more devices as your license permits. For instance, if you start with 128 devices and later expand to 500, it remains scalable as long as you have the necessary subscriptions.

I have contacted technical support regarding Qualys Patch Management. There are challenges due to language barriers with some agents, but they provide effective support via email. Communicating technical issues can be difficult over the phone, but they respond proactively to email inquiries.

The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues.

Positive

I have less experience with Tenable, which doesn't provide Qualys Patch Management but offers an unlimited scan option. Although they have comparable vulnerability checks and recommendations, Tenable lacks a Qualys Patch Management feature.

The initial deployment of Qualys Patch Management is very easy. Users should understand how to manage bundle or multiple deployments on specific devices. Qualys has options that allow you to select patches for many endpoints simultaneously, streamlining the deployment process.

The pricing of Qualys is promising, but I don't have the specifics. Based on my experience, both Qualys and Tenable have similar price points, but clients choose based on whether they need a comprehensive Qualys Patch Management solution or an alternative.

The risk-based approach is essential. When you enroll devices, Qualys automatically identifies vulnerabilities, focusing on reducing risks to your company, not just patching browsers or applications but also addressing outdated software and misconfigurations. Collecting this data allows for automated and prioritized patching based on risk.

I have used Qualys Patch Management for just one year, but I have handled many clients during that specific time period. We always do proof of concept and demonstrations to our clients, so I believe I can deliver more details regarding Qualys Patch Management.

I have used the Risk Reduction Recommendation Report. There are several types of reports in Qualys, including technical reports and managerial or CEO reports. Qualys offers comprehensive reports detailing vulnerabilities, recommendations, next action plans, and risk reductions, along with insights into potential MITRE attacks. This information allows clients to fortify their systems and reduce attack risks.

I haven't integrated Qualys Patch Management with any CMDB or ITSM tools for ticket management yet, but I believe Qualys Patch Management cannot be integrated with CMDB. However, Qualys CSAM can easily integrate with CMDB without needing an API. It focuses on cybersecurity risks, adding devices to Qualys Patch Management directly from CMDB as long as they have the Qualys agent installed.

It's a best practice to implement Qualys Patch Management alongside vulnerability management as part of the remediation process in Qualys. If clients lack a Qualys Patch Management subscription, the reports can still provide details on vulnerabilities and recommendations. However, we encourage them to add Qualys Patch Management subscription to ease the patching process for their devices.

Maintenance can be challenging, especially if there are bugs or errors in Qualys Patch Management. The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues.

I have resigned from my previous company, but I have the knowledge, skills, and fundamentals in using Qualys. I would rate this product overall as an 8.

We use Qualys Patch Management for monitoring servers and assets whereby we apply vulnerability management and patch management within the company so that we are always in scope when it comes to audits or even securing our systems. With patch management, we deploy automated patches using Qualys Patch Management so that the users do not have to restart their workstations because we also support the Cloud Agent which we have deployed on workstations. This pushes automated patches within our workstations so that they stay up to date. We are avoiding breaches because when there is a vulnerability that is still open, it has to be remediated. If it is not remediated, we put our systems at risk for them being hacked or attackers may gain access to our systems.

The reason why I appreciate Qualys Patch Management is that it makes our job easier. In the olden days, you had to remediate vulnerabilities manually through the IT department, but it was difficult because certain vulnerabilities would not appear on the actual server. With Qualys Patch Management it gives us a clear view on which hole to close and what to look out for. This makes things easier for people who are not technically proficient.

We assess the risk in a way whereby patch management will push automated patches, but only patches that are updates. We provide a report to our clients, which is IT or other clients, regarding which servers have missing patches and which servers have been deployed with patches so that it makes things easier for them to go and patch those servers and restart the servers. On the same day, it will run a scan at a scheduled time. For example, a scan might run around five PM and then an automated report will come up the next morning. If they have remediated the patches, the count goes down and it works in terms of compliance on our side. This makes things easier for both IT and the security side to maintain that balance.

We use Patch Management with Qualys Patch Management VMDR. Qualys Patch Management is the actual tool we are using. It has different modules such as Cloud Agent, a module for VMDR, Vulnerability Management, Detection, and Response. Patches and VMDR go together. You might get a report for vulnerabilities which are patch-related. If they apply patches on their systems, it will remediate the vulnerabilities, but there are certain vulnerabilities that you have to manually remediate because with each vulnerability, it will show you the vulnerability name, the QID, and the CVE number. It has a section for solution on what to do to remediate the vulnerability. Sometimes, based on manual work, you might need to update that specific software, or you might just need to delete it, or you might just need to go to your registry on your server and apply changes based on the solution of that specific vulnerability.

As a security team, we are monitoring Qualys Patch Management platform. We are the forefront for Qualys and then our client will be the IT support department. With Qualys Patch Management, we are making things easier for the IT team to run automated patches through configurations and through agents that have been deployed on servers and workstations. However, sometimes it needs manual intervention from their side in order to remediate vulnerabilities which do not contain updates. Based on TrueRisk, it does work a lot because it will be a hassle when you have to go through vulnerabilities each day and try to remediate vulnerabilities. There are certain vulnerabilities that you cannot remediate. That is when we apply something that we call a dispensation form. The dispensation form works accordingly with IT and security standards based on a vulnerability that cannot be remediated. It is taking a risk of allowing that vulnerability to exist. In case anything happens, you are taking the blame. That is the purpose of the dispensation form.

Qualys Patch Management does give us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

We work together because in today's industry, security and IT have to work alongside each other because they are the owners of the systems. We provide the service to them using tools that will minimize damage and minimize exposure to threats or cyber attacks. We work alongside and it needs to be that way so that we have collaboration because they know their tools, they know what systems they are using. It is their own system. IT is in charge of the systems whereby all employees are using servers. For example, if we have Active Directory, they need to configure that specific server to host an Active Directory, and then everybody has their passwords and usernames. As security, we need to monitor that all users are compliant and there is no malicious activity happening in the background. We inform IT so that they can also be aware and informed with what is happening with their systems. That is why we work alongside together.

The main benefits that we have seen from using Qualys Patch Management come from the SCA module, which is the Security Compliance Assessment. Most companies will always have an audit on a yearly basis, depending on which timeframe, perhaps term one or term four, but they will always have audits. It helps us with the audit so that we are compliant within the industry. By doing so, it gives us more customers and more clientele. We can continue selling the tool to other clients based on what we have worked with.

Qualys Patch Management does help to reduce our organization's risk. We know that all the servers are up to date because we always contain the critical servers such as P1, P2, and P3. It has reduced our risk and made our company life easier with that. We have to provide daily reports using the Patch Management module.

Using Qualys Patch Management, we have seen an improvement in our patch rates. As we provide reports on a daily basis, it does state the raw data from the CSV file and the number of installed patches within a specific server and the number of missing patches. It made a lot of difference because if I have installed two hundred patches and then there are only six missing, the IT department would know and have a clue on which patches to work with on that specific day after providing the report.

To be improved or enhanced in Qualys Patch Management, some patches are not automatically updated. I think I would improve automation whereby it can address something that we might have an issue with regarding reporting. With Patch Management, you have to manually deploy a report and you have to get it manually and it takes more time and space for a user or an employee to click around in it. It would be great to find a tool whereby we can make the patches automated so that it takes raw data on the platform and then it creates a report and sends it to IT directly without us intervening from a human perspective.

I have not seen any missing features yet because the system is quite new. Because it always enhances and always changes, we have to just keep updated with the new versions of Qualys Patch Management and we have to see what are the updates based on that Qualys Patch Management tool. They do send us the new updates and they do send us a message if there is something new that has been added. As a team, we look at it and then we see how we can benefit our company and then we deploy it.

I have been working with Qualys Patch Management for about three years and a couple of months now.

We have not had any crashes, downtime, or stability issues with Qualys Patch Management.

Qualys Patch Management is scalable.

We do log calls to the customer service and technical support teams. Sometimes the platform might give us certain issues whereby, for example, we are trying to pull a report and then it has no data, or a report we pull and then it says it could not fetch more data from the platform. We do log a call and then they tell us that we just have to restart a certain module or restart something so we clear up the old cache data so that we have space. Usually our problem was with Qualys Patch Management reporting, but now it has been fixed. Or accessing the platform, you might get tokens from their side. We get to find out that Qualys Patch Management might be down on that specific day. That is quite a challenge because we cannot run any patches or pull through reports on a certain time. Based on what we would tell them when logging a call to Qualys, they will try to improve their platform so that it becomes more efficient for us.

I rate them an eight because it has to go through a system. When you log a call, then they have to assign it to their engineer, then that is when the engineer will come back to us. Based on how quickly they resolve an issue, I rate them a ten.

Positive

There was no tool that we were using before Qualys Patch Management.

The setup by Qualys, as with any engineer, is manageable as long as you can write a certificate and know the background of how to set it up. It needs the collaboration of maybe a client's systems so that they can gain access to their firewalls and gain access to their certain IPs so that we can ingest Qualys Patch Management to monitor their company systems. That is what we basically need from Qualys.

Measurable benefits for us should exist, but there are people who are assessing those types of benefits. I am the technical person based on Qualys Patch Management. There are other solution architects and people who sold Qualys Patch Management to the clients. They are the ones who have that certain data and know how it benefited us as a company, how much we saved, and how much they upgraded the company. I am just on the technical side of Qualys Patch Management.

As long as we have someone, for example, deploying it for your company, we need to have someone who is technically proficient with the IT system. We need to know which IP we can use, and then you have to open firewall ports for us to gain access and traffic. The tool will ingest to your company and then it will work. It just needs hands-on work. Probably around one hour with a technical person or technical IT person from a different company, and then including us. Also, you need approval of signatures because gaining access to different companies might be a risk. We have to have access signatures and approvals first before we can deploy.

We download a script from us based on what you are using, which is the main server on your company. For example, if your main server is Windows, we download the script for Windows. We send it to you, you run the script on your server and then it will pop up with a Qualys Patch Management page whereby it has configurations. You include IPs, ports, and the systems it has to communicate with such as public IPs and internal IPs. Qualys Patch Management has its own module that is used for deployment.

We purchased licenses through Qualys directly. We need to get in touch with the Qualys salesperson from their side so that they can provide us with an amount of how much that costs and how much it is to manage it. Then as your company, we provide managed services towards them. We buy licenses to deploy it on our side, and then if there is a new client coming in, they buy licenses through us. We then provide managed services to them.

We are the MSP of Qualys.

We are working with the cloud-based Qualys Patch Management product.

We have seen other platforms such as Qispery and other platforms, but we chose Qualys Patch Management based on it being easy and user-friendly. We chose Qualys Patch Management based on that. We have assessed other tools that we can use, but other tools are quite difficult to maintain. With Qualys Patch Management, it had a high number of ratings within the environment of management and the patch environment.

Having this integration and Qualys Patch Management does help us close the tickets faster.

It helps us because, for example, any person can try to access a server or try to access it via brute force. Because that server is managed by Qualys Patch Management and we have an agent deployed, Qualys Patch Management will pick up that server, it will send ingestion to Sentinel, and then it will trigger an incident stating a brute force attempt based on attacking that specific server on Qualys Patch Management. It does work pretty well because as security analysts, we need to make sure that incidents are contained and remediated to avoid breaches. With Qualys Patch Management, it is a form of automation tool that we use to make things easier for both security and IT, and it is managed by us in the security team.

The single source of truth that Qualys Patch Management provides has helped us to reduce costs even though the platform is quite expensive. It helped us to reduce costs because the most dangerous part is if there are any breaches, it costs the whole company and is a business risk. We would rather spend money on that tool even though it might have a little durability challenge, but we spend money on that tool so we keep the whole environment secured. If the business is compromised, everything will be compromised. We would rather invest in a tool that will cover the aspects of the whole company so that even the users and employees are free to work and are okay without looking over their shoulders with vulnerabilities on what to click and the type of website that they are trying to access because we are all working with different browsers and websites.

The advice I would give them is that even after they buy Qualys Patch Management, obviously for the first time, the Qualys technical team will help them navigate the platform. It is mostly important for them to skill up and get resources to write their exams within Qualys Patch Management, which are free as long as you are their partner. You just have to write the exams and get informed about the system. This helps them avoid logging a lot of calls to the technical side. If you are buying that platform and providing an MSP, it will be critical that you have resources within that platform. It will be much easier to maintain it without any challenges.

I rate Qualys Patch Management as a product and solution a nine point five.

Public Cloud

Other

My main use case for Qualys Patch Management is to identify vulnerabilities and suggest patches, and I also make use of support automation for policy configuration.

A specific example of how I use Qualys Patch Management in my day-to-day work is that it helps me find critical vulnerabilities in our system and enhance and reduce exposure to unknown exploits, providing us a compliance-driven environment.

I use Qualys Patch Management in finding critical vulnerabilities.

I have been using Qualys Patch Management for over three years now.

The best features that Qualys Patch Management offers include a centralized critical vulnerability and patching dashboard where I can see all the systems that can be fixed, managed, and patched. The centralized dashboard helps me in my daily operations, and I find the cloud-based management feature especially useful as it provides a centralized dashboard that helps manage patches.

I value Qualys Patch Management's automated patch deployment and the ability to reschedule patch deployment easily. Qualys Patch Management has positively impacted our organization by making patch deployment more flexible.

Qualys Patch Management has given us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated, which helps us prioritize patching based on risk and enables our security and IT teams to work seamlessly with automatic identification of vulnerabilities and suggested patches.

I want Qualys Patch Management to improve in the area of patch deployment, making it more flexible with limited control that is needed, and also enhance reporting and visibility.

I want them to work on improving third-party patching support and the performance in large environments, as patch deployment is slow in large environments.

I want them to also work on their error feedback and troubleshooting because patch failure sometimes lacks detailed explanations, and I want them to help administrators resolve issues faster.

I want them to improve in the area of reporting and third-party application coverage.

I have been using the solution for over two years now.

Qualys Patch Management is stable and flexible with its dashboard environment in our distributed environment.

The scalability of Qualys Patch Management is acceptable because it helps me manage patches from a centralized dashboard and works in our distributed environments.

I have great customer support that assists me in the automation of policies, patch deployment, and reducing manual intervention for routine patching.

Positive

I have not tried any other solution aside from Qualys Patch Management.

Using patch management, I have seen an improvement in patch rates, with a significant improvement in patch rate in the last forty-eight hours.

This single source of truth has helped reduce costs for our organization by over seventy percent in return on investment.

I have seen a return on investment, saving significant money for employees, with metrics showing over eighty percent, and we have also saved time for employees and clients.

I have a great experience with the pricing setup of Qualys Patch Management because it provides us a detailed breakdown on how to provide solutions to our clients.

I have not evaluated other options yet because I find Qualys Patch Management very flexible.

My advice to others looking into using Qualys Patch Management is to recognize it as a great platform and tool that integrates with vulnerability management and patch management, helping prioritize patching based on risk and automatic identification of vulnerabilities with suggested patches. I would rate this product a seven overall.

On-premises

Other

My main use case for Qualys Patch Management is to automate and deploy patches across our enterprise infrastructure, specifically for Windows and Linux servers. I use it to bridge the gap between finding a vulnerability and actually fixing it, creating a unified workflow for the IT and security teams.

This unified workflow helps my IT and security teams work together effectively by ensuring our asset tagging is perfectly organized before using Qualys Patch Management. If your tags are wrong, you might deploy patches to the wrong servers and cause operational impact. I rate the solution an eight out of ten.

The best features Qualys Patch Management offers include excellent scalability, with the Qualys Cloud Agent handling the workload perfectly, even when deploying patches to thousands of assets simultaneously across different locations.

When considering scalability and agent handling, the stability is very good, making my day-to-day work easier and more efficient. Since it is a SaaS platform, we rarely experience downtime that affects our patching window.

Qualys Patch Management has positively impacted my organization by providing the most valuable feature of native integration with Qualys VMDR, allowing my team to identify a critical CVE and deploy the required patch from the exact same dashboard. This eliminates the need to export CSV files to the IT teams and drastically reduces our mean time to remediate.

Qualys Patch Management provides us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated, which has affected how my security and IT teams work together by using VMDR TruRisk Score with aligning devices, asset devices exposed to the internet, internet-facing devices, and exploiting zero-days.

This single source of truth has helped reduce costs for my organization, as we are categorizing patch management with TruRisk Score, utilizing various metrics and the patch catalog, and addressing exposed assets, public exploits, easy exploits, and the criticality score alongside the CVSS score and others.

Qualys Patch Management can be improved by enhancing the reporting capabilities and dashboards since it is difficult to extract customized executive reports for the board. Also, the feedback loop can be slow; sometimes it takes too long for the platform to confirm that an asset was successfully patched and is no longer vulnerable.

I have been using Qualys Patch Management for seven years.

Qualys Patch Management is highly stable, with very good stability and rare downtime affecting our patching windows.

The scalability of Qualys Patch Management is excellent, with the Qualys Cloud Agent handling the workload perfectly, even when deploying patches to thousands of assets simultaneously across different locations.

The customer support for Qualys Patch Management is responsive, with the technical account managers usually helping us quickly when we raise issues with specific patch deployments.

Previously, I relied on traditional tools such as Microsoft SCCM or WSUS. I switched to Qualys Patch Management because traditional tools were siloed and did not understand risk or CVSS. Qualys Patch Management allows me to patch based on actual vulnerability risks, not just IT schedules.

I have seen a return on investment, which is highly positive. I've saved hundreds of hours of manual work for the IT operation teams by automating the deployment of critical patches, and I've reduced our real business exposure to ransomware and exploits.

I evaluated other options before choosing Qualys Patch Management, specifically Microsoft SCCM and WSUS.

My advice for others looking into using Qualys Patch Management is to ensure your asset tagging is perfectly organized before using Qualys Patch Management. If your tags are wrong, you might deploy patches to the wrong servers and cause operational impact. I am rating the solution an eight out of ten.

Hybrid Cloud

Other

The primary use case for Qualys Patch Management is to provide a proactive, automated, and data-driven approach for discovering vulnerabilities, prioritizing patching, and ensuring that patches are applied correctly to minimize security risk.

We switched to Qualys Patch Management because it simplifies patch deployment by requiring only an internet connection. Previously, we used an on-premises server with HSCM, which proved challenging for managing remote endpoints. To address this, we deployed cloud agents on all endpoints and servers, allowing Qualys to push patches remotely without needing VPN connectivity.

We have prioritized products for automated patching. This means that whenever a vendor releases a patch, it is seamlessly and robustly applied.

Qualys VMDR detects vulnerabilities and correlates them with relevant patches in the Qualys Patch Management module. Although separate databases, they work together to provide a comprehensive solution for identifying and remediating vulnerabilities. When VMDR detects a vulnerability, it identifies corresponding patches released in the Patch Management module, streamlining the patching process.

Before the pandemic in 2020, we relied on remote scanning, which limited our ability to deploy and manage patches effectively. Our on-premises SCCM server struggled to push patches to remote users relying on VPN. To address this, we deployed the Qualys Cloud Agent on all 360,000 assets in our infrastructure. This provided comprehensive vulnerability detection, unlike the limited results from remote scans. However, the sheer volume of vulnerabilities overwhelmed our SCCM server. Consequently, we collaborated with Qualys to develop a backend solution integrated with the Cloud Agent for seamless patch management. After successful testing and implementation, Qualys Patch Management now efficiently handles patching for Windows, Linux, and macOS devices.

Qualys Patch Management provides a centralized platform for managing assets and vulnerabilities, enabling assessment, prioritization, and remediation. We rely on Qualys for both vulnerability detection and patch deployment.

We initially faced challenges as the IT team was hesitant about Qualys Patch Management, and the deployment of cloud agents revealed millions of vulnerabilities. However, Qualys Patch Management significantly reduced these vulnerabilities, particularly on our Windows machines, which comprise 70 percent of our systems. The team observed a 70 percent remediation rate through scheduled patching, establishing Qualys as a reliable source of truth. Consequently, they shifted from relying on SCCM or Intune to Qualys Patch Management for scheduling patching jobs to meet our five-day SLA. With Qualys publishing QIDs the day after vendor patch releases, automated jobs promptly deploy patches to all machines upon vulnerability detection.

Qualys Patch Management helps lower operational costs and enhances our security posture by reducing vulnerabilities and streamlining compliance efforts.

I have observed an improvement in our patch rate using Qualys Patch Management. Qualys now facilitates over 80 percent compliance within five days, a task that previously required the IT team 12 days to accomplish.

By integrating Patch Management with VMDR, we gain immediate vulnerability detections and leverage TruRisk values to derive our own severity rankings for prioritization. These prioritized vulnerabilities are then addressed using the Qualys Patch Management Module, streamlining our remediation process.

Qualys Patch Management has helped reduce our organizational risk by providing current vulnerability data, including exploitability and active threat information. The platform's live threat feed and risk score enhance the standard CVSS rating by considering factors like active malware association and exploit availability, allowing us to prioritize patching efforts effectively.

Qualys Patch Management offers numerous valuable features, including automatic patching for Google browsers, which allows for scheduled updates immediately upon vendor release. The real-time vulnerability assessment enables prioritized patching and continuous updates on new vulnerabilities. Supporting Windows, Linux, and Mac OS patches in a single solution, Qualys provides flexibility and rollback capabilities, along with integration options for other security tools. Faster remediation is another benefit, with our organization achieving 84 percent patch compliance within five update cycles across 360,000 machines.

Qualys Patch Management system requires several improvements. Firstly, the inability to download asset patches and the lack of third-party application integration limit patch accessibility. Additionally, rollback options are unreliable, and pre-deployment patch testing is crucial. Reporting needs enhancement, particularly with group-based compliance percentages and clearer, VMDR-like reporting in the Patch Management module. Furthermore, detection speed should be improved, as patches are released 24 hours after QIDs are published. The user interface could be more functional, with dashboards for patch compliance visualization and simplified error code language. Finally, the Mac patch catalogue needs expansion, and automated workflows, policy enforcement, and testing procedures should be streamlined for seamless, user-independent operation.

I have been using Qualys Patch Management for four years.

I would rate the stability of Qualys Patch Management as nine out of ten because sometimes issues arise due to our network.

I would rate the scalability of Qualys Patch Management ten out of ten.

The technical support is excellent.

We used SCCM, an on-premises server requiring VPN connectivity, but its remote management challenges during the pandemic led us to adopt Qualys. Qualys facilitated issue detection and patching with only an internet connection.

The initial deployment of Qualys Patch Management was straightforward, requiring only the download of the agent onto all 360,000 machines, a process that took some time, given the number of assets.

Qualys Patch Management has saved significant resources. It provides live data every four hours without manual intervention, saving time. We have a 50 percent return on investment due to reduced operational complexity and increased efficiency in patching and detection.

Qualys Patch Management offers a moderate price point, neither cheap nor expensive, considering its comprehensive functionality. The cost is reasonable in relation to the value and benefits it provides.

I would rate Qualys Patch Management ten out of ten.

Qualys Patch Management is deployed on 360,000 assets across multiple locations and departments, supporting over 300,000 users.

The maintenance is managed by Qualys.

I recommend using Qualys Patch Management for better detection and patch compliance. I have seen improved patch compliance compared to other solutions like SCCM and Intune. For Linux, authentication is available as well, and patch compliance is better. I strongly recommend Qualys.

Hybrid Cloud

Other