Qualys Patch Management Reviews

I use Qualys Patch Management as a single platform for patch management. We have Microsoft, Adobe, and various other apps. I create a scheduled task to push all the required patches to the laptops so that they have the latest version of these apps.

We also do compliance checks to ensure that, for example, we have the golden image on our servers and laptops. We use it for scanning to ensure that configurations are correct and based on the CIS guidelines.

All our servers and laptops have the Qualys agent, and we can then push the patches to those devices.

Patch Management offers a patch-based approach to vulnerabilities. It helps us prioritize and schedule critical or high-severity patches to address issues.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

I use Patch Management with Qualys VMDR. After the patches are deployed, I check Qualys VMDR to verify if the issues have been addressed.

The Risk Reduction Recommendation Report is fine. It has some general information. It can give insights to people who are not familiar with the findings. I can generate a report and share it with different IT groups to help them understand the issue and the suggested solution. It can help address 70% to 80% of the issues. The rest of them might require further discussion to come up with a solution.

Patch management significantly helped us track and reduce vulnerabilities. For example, before adopting Qualys Patch Management, we found 10,000 or more vulnerabilities. We have now addressed those, limiting existing vulnerabilities to around hundreds. There is a great improvement.

Patch Management supports various software lists when compared to Microsoft Intune. It is especially beneficial for non-Microsoft applications. I can create a schedule, and various patches can be automatically deployed. There is no need to create a PowerShell script. It helps reduce the manual workload for patch deployment. 

I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail. For instance, if I have deployed patches to 100 endpoints, even though the job status says that it is successful, I still have to go deep into endpoints one by one to identify if there are some failures. It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload. 

For reporting issues, we can check if the findings are addressed in the VMDR, but to verify if the latest patches have been applied on the endpoints or servers, we have to examine scheduled jobs one by one. 

It would help if error messages were clearer about causes, like endpoints being offline. This improvement would streamline troubleshooting, helping users ensure their PCs are on when deploying patches. Fail status alerts providing specific fail details would facilitate easier checks.

I have been using Qualys Patch Management for at least two years.

It is highly stable. I would rate it an eight out of ten for stability.

We are utilizing it fully. It serves our needs.

We get the first response to a question within two days, but when we have follow-up questions, they take longer, and the case may get dragged a little bit. It is not fit for us sometimes.

Neutral

Intune is a comparison point, but previously, we had Ivanti Patch Management. Qualys Patch Management is much better, considering the number of issues we could address with it.

The initial setup was quite a normal process. We needed to install the appliance and establish firewall rules to allow traffic with different software. For the endpoint part, Qualys agents were installed on the machines. We had no serious challenges deploying to most endpoints or configuring the firewall.

I am currently conducting a patch management review and evaluating new features or products, and Qualys Patch Management still meets our requirements.

I would rate Qualys Patch Management an eight out of ten. 

I am a cybersecurity engineer focused on vulnerability assessment and penetration testing. We use Qualys Patch Management to scan our client infrastructure and external-facing applications. We collect asset details from clients and perform activities using Qualys VMDR to prepare and submit reports. If vulnerabilities are detected, we conduct patch management.

We implemented Qualys Patch Management to simplify patching processes and maintain a comprehensive record of all assets, both those already patched and those requiring patching.

Qualys Patch Management's risk-based approach to automation is effective in addressing vulnerabilities. By configuring policies, patches are applied automatically, eliminating concerns about oversight and ensuring comprehensive mitigation.

The integration of Patch Management and VMDR is critical for medium and large organizations because it automatically includes relevant patches and configuration changes to remediate detected vulnerabilities. This allows organizations to gain clear visibility into device vulnerabilities and take immediate action to mitigate risks.

Qualys Patch Management keeps our clients informed of all security aspects. It keeps the quality up to date, with vulnerability databases and new CVEs based on the CVSS score. Clients are pleased with the insights on their security posture and any security gaps.

We use TruRisk automation and the Qualys knowledge base, with its batch management and information-sharing features, to remediate vulnerabilities without involving the security team.

Qualys Patch Management provides a centralized platform to identify, prioritize, and address vulnerabilities across all assets. This allows us to tailor vulnerability assessments and patching strategies for clients with critical assets, such as servers hosting public-facing web applications, by leveraging asset criticality tags to create dedicated sections within the platform.

Qualys Patch Management has helped improve our patch rate by 35 percent.

Qualys Patch Management helps reduce our client's organizational risk by 50 percent.

Qualys Patch Management allows us to structure all the patches together and schedule patch management sessions. If we do not need a particular patch, it can push it automatically. It provides insight into the organization's security posture and keeps databases updated with new CVEs.

The pricing of the solution is slightly high compared to other tools in our field. It’s manageable for clients, but as a service provider, it can be challenging due to the lower cost of vulnerability assessments and penetration testing.

I have been using Qualys Patch Management for the past two years.

Qualys Patch Management is a stable solution. I would rate its stability as a ten out of ten.

Scalability could be improved, as not everyone can afford it, and some may not fully understand how to use Qualys.

During the license purchase process, there was some delay in technical communication from Qualys. 

Positive

The deployment involved a team of six people and took about half a year.

Qualys Patch Management has saved time and resources by reducing the need for human resources. Clients are satisfied with the insights and reduced vulnerabilities over time.

While the cost of Qualys Patch Management is slightly high compared to alternative tools, it is not excessively expensive. I would rate the pricing as a seven or eight out of ten for expense.

I would rate Qualys Patch Management ten out of ten.

Our clients who use Qualys Patch Management are medium to enterprise-level businesses.

Qualys handles the maintenance for Patch Management.

I recommend Qualys Patch Management to others due to its ability to enhance organizational and client security posture while reducing time and costs associated with vulnerability assessment and auditing.

Public Cloud

Other

I have used this management system to remediate vulnerabilities.

There are a few vulnerabilities we can remediate very quickly. It reduces the time delay. If there are configuration-level changes, we can create and push scripts. 

It helps us increase visibility for faster remediation. 

Syncing between the MBR and patches is the feature. Another valuable feature is pushing configuration-level changes for a script, which leads to a single solution for all the changes. 

From a risk perspective, prioritization helps us more by allowing us to see the visibility of assets with more critical vulnerabilities. We can then push the patches immediately to remediate or reduce risk as soon as possible. That is the major advantage I have.

The integrations with VMware include configurations to mitigate vulnerabilities. It helps us identify permissions and whatever is applicable for the vulnerability for faster patching. 

It helps us remediate vulnerabilities without involving our security team. This helps further relieve time delays. We've saved around 50% of time with patching with Qualys.

The solution provides a single source of truth. We have everything all in one place, saving 40% of our time when compared to the older approach. We don't have to look at different platforms or move back and forth between tools between patching and validation. 

It has effective risk reduction recommendation reports. It streamlines remediation and gives us more data on the vulnerabilities. It helps us to identify the risk factors and levels of risk for increased prioritization.

Our patch rates have increased significantly. 

We've been able to reduce organizational risk by 50%.

The patch status and patch completion information should be improved. If a patch fails due to some reason, such as a Windows error, the error code that gets published should be more detailed. This would make it easier for us to identify where the issue lies, whether at the network level, machine level, or elsewhere. 

I have been using the solution for the past three years.

The stability is rated ten out of ten.

The scalability is rated ten out of ten.

I would rate technical support as nine out of ten.

Positive

I used different solutions like KACE, among others. We switched so we could use a single tool to make the process as simple as possible.

We use a hybrid cloud approach.

The setup was just about enabling a module for it. Since the system is already deployed, we only had to enable the module.

We use it across multiple locations.

There is no maintenance required once deployed.

As I said previously, it has reduced the risk by fifty percent compared to the previous solution. Everything is in SaaS.

As a single tool, it is a better choice. I would recommend the solution to other users. 

I would rate the overall solution as nine out of ten.

Hybrid Cloud

We do it for our OS patching across multiple clouds. If we don't put GE Vernova on there, then I can say we use it for AWS and Azure, plus on-prem. It's used across OS platforms too, so Windows and Linux-based. Our OS team uses it monthly to patch, and then we also supplement third-party software, such as Chrome, Edge, Notepad++, Wireshark, and all that software that people will install and forget to uninstall and forget that they have to patch it. We do that almost weekly as well.

My favorite feature is reoccurring jobs. We had some requirements where we needed some options added to do reoccurring jobs, and they were able to add that in. Now we mostly use reoccurring jobs, and we don't have to touch them. The hardest part now is just getting change controls through our change management team instead of actually creating the jobs.

It has simplified so much from a cost overhead and perspective.

For Qualys Patch Management, I actually talked with their product manager last week during their conference. Unified QQL needs improvement because while they have QQL in Qualys Patch Management, it doesn't pull in the same tokens as VMDR or CCM, so I can't search by similar things. Also, grouping or foldering for Qualys Patch Management jobs would be beneficial because if different groups own different jobs, it all gets dumped into what is essentially a flat file. You're just scrolling through it. You can search, but if we were able to do foldering, that would be great. The third piece would be having an approved catalog. For example, instead of my IT teams doing the patching, I wanted to enable our internal customers, our app teams, to run the jobs themselves but only on patches that we say are good - a curated catalog that the company patch admin approved.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

We've been using it since April of last year, so April of '24, which is approximately 18 months.

There are times where Qualys sometimes delays or doesn't have the catalog updated. For example, Red Hat comes out with an update and a week later, it wasn't in the Qualys catalog, which causes us to scramble.

On our pod, we don't experience issues. One of my colleagues on a different pod has issues there. I'm on their biggest pod that brings in the most revenue, so they're very cautious with what they do on that.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

Neutral

We used WSUS and custom scripts for Linux before. On-prem, we used SSM for AWS and Patch Management for Azure. It was complicated because there were so many different moving parts. That's where Qualys Patch Management comes in and is able to work across all platforms. It's easy because you don't have to manage all kinds of different things for every cloud. Your agent's already on the box because we have a rule that every server has to have an agent on it.

The setup was actually easy. We already had VMDR deployed and agents everywhere, so it was a couple clicks to enable it.

The implementation took approximately a month, though some of that was due to our delay. We had one to two people involved, and part of the timeline was due to our internal processes, not Qualys Patch Management.

You can always drive pricing down, but I think it's reasonable. For what we get out of it, I think it's a reasonable investment.

I think that's where we have to go as an industry because you can't address everything all the time. Adding the risk on top, if it's an external asset compared to something internal inside your vault, the risk is much greater for exfiltration of data. The risk-based approach absolutely is the right way to go about it.

I rate Qualys Patch Management a nine out of ten.

Hybrid Cloud

Other

We are in the education industry, and we perform weekly scans. On weekends, we scan our entire management, servers, and expectations. Then on Monday, I set up some weekly reports. From these, I'll have my vulnerabilities and Patch management reports showing which third-party applications I installed on users' workstations. I tested these on a Monday or Tuesday with Patch Management. If all goes well, by Wednesday or Thursday, I'm patching the rest of the environment. In terms of workstations, I scan and patch them weekly, but for servers, I wait for the Microsoft patching cycle. Only then do we patch the servers, allowing for a restart for each update. After the Microsoft updates, we can restart our servers.

The auto patch is useful. On zero-day vulnerabilities or patches, we can automatically apply those without user interference. We can drastically decrease vulnerabilities, especially third-party ones, such as a Java update that usually takes time to test on different machines. With Patch Management, machines can be grouped into test workstations, and a fix can be deployed and monitored for a day or two. If nothing goes wrong, it is deployed to all users. In Koketso Towers, you will notice about one thousand or five thousand mortgages decrease. This has helped us keep up with vulnerabilities, especially on workstations. Test management is a module added to the vulnerability management scanner, which also has the auto-fix feature. We don't usually use this on servers but on workstations. For instance, if there's a vulnerability that is not a zero-day, but something else, we can test and deploy it almost immediately from the workstation.

I do not have any major problems. I think it's working great. My recommendation would be not just for Patch Management but for Qualys itself. I am using Qualys through a third party or reseller. The issue is that when buying Qualys licenses, from my side, I'm buying for about seven thousand five hundred users or machines. I also need to buy licenses for another seven thousand five hundred for patch management. We dislike having to pay extra. We don't mind paying for additional modules like Certificate View. The test management part requires buying licenses. We are trying to negotiate with our reseller. If they can't provide us, we'll go straight to Qualys and see if they can assist.

I have been using Patch Management for about six months now.

The solution is very stable. I have encountered no problems so far.

We don't interact much since our service is managed. We only contact Qualys if there are serious issues. Last year, we communicated with Qualys two times when our service provider couldn't assist us in resolving one vulnerability.

Positive

We started before moving to VMDR. We used a previous version called Qualys VM, and now it's Qualys VMDR. With Qualys VM, we had access to the console.

The setup was straightforward. We began by installing the scanner, scanning the entire environment, and then categorizing items as servers, workstations, etc., applying tags accordingly. It took us about two weeks to have it fully operational with both daily and monthly reports set up. The deployment is easy through SCCM from Microsoft, as we deploy based on our AD groups.

I would give it a ten out of ten. It is an excellent module to have within the environment, as most environments have Windows Patch cycles, but not for third-party applications. Patch Management not only addresses third-party applications but can also patch vulnerabilities. It allows seamless deployment from the console if a patch for a vulnerability is available. I would rate the overall solution a 10 out of 10.

Hybrid Cloud

Other

We have been using Qualys Patch Management alongside vulnerability management. We utilize it to manage high and critical vulnerabilities by prioritizing patches based on asset value and vulnerability score. We rate our asset with an asset value. Along with that, once we have a vulnerability score, we prioritize patches and servers that are high and critical. That is how we utilize both vulnerability management and patch management.

The risk-based approach provides a better way of patching. It helps identify criticalities based on asset value, enhancing decision-making.

Qualys Patch Management has helped us reduce the overall risk in our environment by integrating with vulnerability management and VMDR, allowing us to address risks based on asset value and risk levels. It is important for us that it is integrated with VMDR so that we are aware of the vulnerabilities in our system and can apply patches as per the associated risk, asset value, and threat to the environment. It is very important to integrate these tools. It helps reduce vulnerabilities through diligent patch application and improves overall efficiency.

TruRisk score is helpful for us, but we still have to ensure the security team is involved in the governance process to ensure that we are taking care of the entire environment. We include the security team on the governance side but the implementation and the activity can be done without them.

There has been an improvement in our patch rate. The efficiency in our environment increased by 30% over three years, compared to the tool we used previously. The duration of patching decreased in the environment.

The Risk Reduction Recommendation Report is good. It gives an overview of what can be remediated soon. It gives a good understanding of which patch can remediate the majority of the risks in the environment. It helps us see which vulnerabilities would reduce the most risk within our organization.

We have all the information on one page. The dashboard provides comprehensive information on one page, making it easy to apply patches and monitor pending updates. It helps a lot from the governance point of view to see what exactly is missing and what exactly has been applied.

They have already covered most of the things. I do not see a lot of opportunities for improvement. It is pretty good. However, it would be good to have more widgets and AI-generated reports. I have not seen anything related to AI with Qualys. It would be beneficial for Qualys to incorporate AI-generated tools for Patch Management and VMDR. This could assist in managing risks, providing AI-generated reports, and creating risk letters for clients, which can streamline communication.

I have been using Qualys Patch Management for more than three years.

We did not encounter any significant stability issues, except during a notified period when they were transitioning to another cloud vendor or fixing an issue.

Customer service is responsive and effective. They are pretty fast. They generally respond to inquiries and provide a resolution within a couple of hours. So far, I have not seen a case where the resolution was not provided within 48 hours.

Positive

We previously used BigFix. We switched to Qualys because BigFix moved from IBM to HCL, and we wanted a tool certified for PCI compliance. Qualys is PCI compliant.

We have a hybrid deployment model. It was an easy process because we knew what we needed to configure the firewall rules and ports. The documentation and other information was provided by the Qualys partner. It did not take us a long time to get it deployed and test it out. We did a PoC, and everything worked fine.

Overall, the setup process was straightforward, and with good documentation and support, we deployed it within our change management framework in about two weeks.

It does not require any maintenance, but we need to ensure that we get rid of the licenses when not required or request licenses when we have more devices planned to be onboarded. That is something we need to look into. When we do not have a device or we do not need a scanner in a particular location, we can get rid of it, so from a maintenance point of view, there is not much.

This deployment also involved integration with vulnerability management. We had a project manager coordinating efforts with the vendor, a documentation coordinator, and a team to handle change management and firewall configurations. Overall, we had three people. Effort-wise, it did not require a lot. They had to coordinate a couple of times for two to three hours.

Its price is competitive in the market. Compared to other solutions like Rapid7, Qualys offers a favorable price point and robust features.

Overall, I would rate Qualys Patch Management a nine out of ten.

We primarily use Patch Management in our organization for remediating vulnerabilities for which patches are supported by Qualys. 

There is a zero-touch mechanism in Qualys for patch management. For example, if we have a product for which frequent patches are released, we do not have to manually initiate a patch. It can be initiated automatically when a new patch is available.

The integration between Qualys VMDR and Patch Management allows us to monitor job statuses and ensures timely remediation. Previously, we had only the VMDR solution from Qualys. For remediation, we had to go to a different solution. There was a delay in the syncing process. With the integration of Qualys VMDR and Patch Management, we have more real-time and comprehensive data. We can see information about the status of the job and other things in a single console. We have a faster view of the remediation effort.

We also have the ability to view and select patches based on the assets. There might be hundreds of patches available in the knowledge base. It gives us patches available only for the selected assets. This saves time and reduces risk.

For vulnerability management, Qualys serves as a single source of truth, but for patch management, we have to use some more tools because Qualys does not support certain scenarios.

We have seen about 60% to 70% improvement in the patch rate so far. It has reduced the organization's risk. 

Patch Management offers pre-action and post-action features, which provide the ability to execute scripts during the installation or uninstallation of software. This helps me make changes from Qualys itself.

Not all patches are supported, so there are some restrictions. Some remediations require script-level changes which Qualys does not support. We have to manually create those scripts.

They should focus on increasing the list of supported patches. New software or data is continuously released, and it would be beneficial if patches were updated in the knowledge base more quickly. Sometimes, there are delays of three to four days, which should be addressed.

I have been using Qualys Patch Management for more than one and a half years.

I would rate the stability a nine out of ten. Occasionally, I need to change patches for certain software like Google Chrome, but overall, it is stable.

The scalability is good. It handles the requirements effectively.

We are using it at multiple locations. We have about 300k users.

I would rate their customer support a nine out of ten. Although there can be some delays, overall, the support is satisfactory.

Positive

We used a different patch management solution previously. We switched to Qualys because it integrates seamlessly with VMDR, which makes it easier to manage vulnerabilities and patching in a single console.

The initial setup was easy. We had already deployed the agent. It involved selecting the asset and enabling the module.

It does not require any maintenance from our side. It is a SaaS platform. Everything is handled by Qualys.

I would recommend Qualys Patch Management if you are integrating it with VMDR. If you are using a different solution for vulnerability management and considering Qualys solely for patch management, it might not be the best choice.

I would rate Qualys Patch Management a nine out of ten.

Public Cloud

Other

Patch Management checks for new patches that Qualys updates daily. For example, Microsoft and other vendors release security updates, which we add to the asset register to simultaneously deploy them. 

Whenever we updated assets in the past, we used to connect to the Internet to download each one, so every asset used to connect individually to download the patch, consuming a lot of bandwidth. Qualys Gateway Scanner works well for us. QGS has all the patches and deploys them to the systems that need them. For example, if we need to update Adobe Acrobat, we can set up an Acrobat group with all the laptops that have the software and push it out. It previously used a lot of bandwidth to download the packages. Now, instead of downloading it thousands of times, we only need to download 10 to 20 packages.

Qualys enables us to identify vulnerabilities and patch them as quickly as possible. We can fix vulnerabilities without involving the security team using TruRisk. We did a POC of TruRisk, but we do not have the whole package yet. It shows us which assets are critical, so we can prioritize them.  

The integration of Qualys Gateway Scanner is my favorite feature. The patches are downloaded to QGS in our environment and deployed, saving bandwidth. The patch logging and policies have been helpful. The dashboard shows you when the patch has been applied to your assets. 

The patch model is critical. The solution classifies the vulnerabilities based on their severity and assigns an asset risk score, so I can focus on the critical ones first. The greater the score, the more vulnerable and risky the assets are. I can prioritize the assets directly from the UI. It doesn't take any skill to evaluate the risk. 

The VMDR feature is critical because I can permanently see the associated patch in my patch management model when I find a vulnerability. From there, deploying the patch on my assets is a short step. I don't need to do manual work.

There is room for improvement in terms of adding more patches. Not all patches are available for deployment on Qualys Patch Management, so collaborating with various vendors to provide new patches would be beneficial.

We have used Qualys for four years. 

I rate Qualys' stability eight out of 10. 

I rate Qualys eight out of 10. They're great. Customer service is responsive to feature requests. They'll add something if it's valuable and many users ask for it. 

Positive

We have used BigFix before, which was just a patching tool. You can push all patches through the case, but it doesn't have the same features or UI Qualys has. 

Deploying Qualys was slightly challenging due to the internal IT processes rather than any shortcomings from Qualys. It took us about two months. We had a team from both the security and IT departments involved in the deployment. Two or three people were from security, while approximately six were from the IT team, including networking and server teams.

Qualys is fairly priced. 

If Qualys can provide all patches and the ability to deploy custom patches, it would make them unbeatable.

On-premises