Qualys Patch Management Reviews

We have been using Qualys Patch Management alongside vulnerability management. We utilize it to manage high and critical vulnerabilities by prioritizing patches based on asset value and vulnerability score. We rate our asset with an asset value. Along with that, once we have a vulnerability score, we prioritize patches and servers that are high and critical. That is how we utilize both vulnerability management and patch management.

The risk-based approach provides a better way of patching. It helps identify criticalities based on asset value, enhancing decision-making.

Qualys Patch Management has helped us reduce the overall risk in our environment by integrating with vulnerability management and VMDR, allowing us to address risks based on asset value and risk levels. It is important for us that it is integrated with VMDR so that we are aware of the vulnerabilities in our system and can apply patches as per the associated risk, asset value, and threat to the environment. It is very important to integrate these tools. It helps reduce vulnerabilities through diligent patch application and improves overall efficiency.

TruRisk score is helpful for us, but we still have to ensure the security team is involved in the governance process to ensure that we are taking care of the entire environment. We include the security team on the governance side but the implementation and the activity can be done without them.

There has been an improvement in our patch rate. The efficiency in our environment increased by 30% over three years, compared to the tool we used previously. The duration of patching decreased in the environment.

The Risk Reduction Recommendation Report is good. It gives an overview of what can be remediated soon. It gives a good understanding of which patch can remediate the majority of the risks in the environment. It helps us see which vulnerabilities would reduce the most risk within our organization.

We have all the information on one page. The dashboard provides comprehensive information on one page, making it easy to apply patches and monitor pending updates. It helps a lot from the governance point of view to see what exactly is missing and what exactly has been applied.

They have already covered most of the things. I do not see a lot of opportunities for improvement. It is pretty good. However, it would be good to have more widgets and AI-generated reports. I have not seen anything related to AI with Qualys. It would be beneficial for Qualys to incorporate AI-generated tools for Patch Management and VMDR. This could assist in managing risks, providing AI-generated reports, and creating risk letters for clients, which can streamline communication.

I have been using Qualys Patch Management for more than three years.

We did not encounter any significant stability issues, except during a notified period when they were transitioning to another cloud vendor or fixing an issue.

Customer service is responsive and effective. They are pretty fast. They generally respond to inquiries and provide a resolution within a couple of hours. So far, I have not seen a case where the resolution was not provided within 48 hours.

Positive

We previously used BigFix. We switched to Qualys because BigFix moved from IBM to HCL, and we wanted a tool certified for PCI compliance. Qualys is PCI compliant.

We have a hybrid deployment model. It was an easy process because we knew what we needed to configure the firewall rules and ports. The documentation and other information was provided by the Qualys partner. It did not take us a long time to get it deployed and test it out. We did a PoC, and everything worked fine.

Overall, the setup process was straightforward, and with good documentation and support, we deployed it within our change management framework in about two weeks.

It does not require any maintenance, but we need to ensure that we get rid of the licenses when not required or request licenses when we have more devices planned to be onboarded. That is something we need to look into. When we do not have a device or we do not need a scanner in a particular location, we can get rid of it, so from a maintenance point of view, there is not much.

This deployment also involved integration with vulnerability management. We had a project manager coordinating efforts with the vendor, a documentation coordinator, and a team to handle change management and firewall configurations. Overall, we had three people. Effort-wise, it did not require a lot. They had to coordinate a couple of times for two to three hours.

Its price is competitive in the market. Compared to other solutions like Rapid7, Qualys offers a favorable price point and robust features.

Overall, I would rate Qualys Patch Management a nine out of ten.

We primarily use Patch Management in our organization for remediating vulnerabilities for which patches are supported by Qualys. 

There is a zero-touch mechanism in Qualys for patch management. For example, if we have a product for which frequent patches are released, we do not have to manually initiate a patch. It can be initiated automatically when a new patch is available.

The integration between Qualys VMDR and Patch Management allows us to monitor job statuses and ensures timely remediation. Previously, we had only the VMDR solution from Qualys. For remediation, we had to go to a different solution. There was a delay in the syncing process. With the integration of Qualys VMDR and Patch Management, we have more real-time and comprehensive data. We can see information about the status of the job and other things in a single console. We have a faster view of the remediation effort.

We also have the ability to view and select patches based on the assets. There might be hundreds of patches available in the knowledge base. It gives us patches available only for the selected assets. This saves time and reduces risk.

For vulnerability management, Qualys serves as a single source of truth, but for patch management, we have to use some more tools because Qualys does not support certain scenarios.

We have seen about 60% to 70% improvement in the patch rate so far. It has reduced the organization's risk. 

Patch Management offers pre-action and post-action features, which provide the ability to execute scripts during the installation or uninstallation of software. This helps me make changes from Qualys itself.

Not all patches are supported, so there are some restrictions. Some remediations require script-level changes which Qualys does not support. We have to manually create those scripts.

They should focus on increasing the list of supported patches. New software or data is continuously released, and it would be beneficial if patches were updated in the knowledge base more quickly. Sometimes, there are delays of three to four days, which should be addressed.

I have been using Qualys Patch Management for more than one and a half years.

I would rate the stability a nine out of ten. Occasionally, I need to change patches for certain software like Google Chrome, but overall, it is stable.

The scalability is good. It handles the requirements effectively.

We are using it at multiple locations. We have about 300k users.

I would rate their customer support a nine out of ten. Although there can be some delays, overall, the support is satisfactory.

Positive

We used a different patch management solution previously. We switched to Qualys because it integrates seamlessly with VMDR, which makes it easier to manage vulnerabilities and patching in a single console.

The initial setup was easy. We had already deployed the agent. It involved selecting the asset and enabling the module.

It does not require any maintenance from our side. It is a SaaS platform. Everything is handled by Qualys.

I would recommend Qualys Patch Management if you are integrating it with VMDR. If you are using a different solution for vulnerability management and considering Qualys solely for patch management, it might not be the best choice.

I would rate Qualys Patch Management a nine out of ten.

Our primary use case is to try to reduce our time to remediate. One of our sister teams, the attack surface team, uses the scanning piece. Therefore, we thought it would be best to close the ecosystem and use the patching piece. The feedback from the PoC made it evident that making a shift was necessary.

By implementing Qualys Patch Management, we wanted to reduce the meantime to remediate and have the ability to weigh our threats so that we are not just patching everything; we are patching what is most critical to our environment.

The automation capability that it has to create jobs, set them, and forget them was very intriguing to our business.

The risk-based approach is beneficial because not everything that requires a patch poses a true risk. It makes much more sense because everything that requires a patch may not necessarily be an exposure or true risk. As a leader, it allows me to make sure that I am directing our efforts into something that means. We are not chasing things around because that does not produce a lot of value in the end. 

We were able to realize its benefits immediately. We configured it and used it in the test and a few production machines. It was easy to build jobs and associate the tags that were being used. With the full knowledge base that Qualys has, we did not have to decipher what scanning is saying versus what the actual resolution is. Having all that built into one solution is just great.

Qualys Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated. That is why we purchased it.

The most valuable features are the ease of managing both first-party and third-party patching, the generation of dashboards, and the provision of real-time information. It provides real-time information, with the agent checking in every four hours, offering nearly up-to-date information at any time of the day. This is in contrast to our previous tool, where we did not have this capability.

There is room for improvement in the detection logic. It sometimes detects open vulnerabilities that are not truly there, such as orphan files that are not really exploitable. It would be helpful if they were classified as information-only rather than Sev 4 or Sev 5.

I have been using Qualys Patch Management for a couple of months. We are a new customer for Qualys Patch Management. We are just onboarding it.

We have done a couple of PoCs for two to three months.

We have not experienced any downtime, glitches, or bugs, so I would rate its stability very high.

Qualys Patch Management appears to be dynamic. It should be able to scale with our needs as the organization grows.

I am still investigating this aspect. I have not had a need to open any tickets or cases.

Neutral

We previously used Ivanti. We switched to Qualys to simplify our toolset because we faced challenges bridging the gaps between what Qualys was identifying and what Ivanti was reporting. This change was made to reduce confusion and the effort involved in aligning two systems.

We already had the vulnerability management piece from Qualys, and we just added Patch Management.

The scanning piece has definitely reduced risks, and now, with Patch Management, we will be able to bridge the gap and see further reductions in risks.

Qualys vulnerability management is in the cloud, but with us turning on the Patch Management piece, it is probably going to be a hybrid setup. We will have a piece in the cloud and then some data collector pieces that will allow us to locally deploy patches versus having the machines go out on the Internet.

It is pretty straightforward. We are still in the process of onboarding. We are not done yet.

Seven people are currently involved in the implementation phase. Its usage will be global. Phase one is just our server management. We have about 2,100 servers. Our IT group has about 45 to 50 people.

Qualys Patch Management is expensive.

When we did our PoC, we already had the VMDR piece. We enabled the patch piece and brought the right hand and the left hand together. This integration automatically should include all the relevant patches and configuration changes required to remediate vulnerabilities detected by VMDR. It will be crucial. That is still to be determined, but when two of our critical service delivery organizations are using the same sheet of music or the same tool, it makes us more agile and more responsive to the threats we are trying to protect our business against.

I would rate Qualys Patch Management a nine out of ten.

Patch Management checks for new patches that Qualys updates daily. For example, Microsoft and other vendors release security updates, which we add to the asset register to simultaneously deploy them. 

Whenever we updated assets in the past, we used to connect to the Internet to download each one, so every asset used to connect individually to download the patch, consuming a lot of bandwidth. Qualys Gateway Scanner works well for us. QGS has all the patches and deploys them to the systems that need them. For example, if we need to update Adobe Acrobat, we can set up an Acrobat group with all the laptops that have the software and push it out. It previously used a lot of bandwidth to download the packages. Now, instead of downloading it thousands of times, we only need to download 10 to 20 packages.

Qualys enables us to identify vulnerabilities and patch them as quickly as possible. We can fix vulnerabilities without involving the security team using TruRisk. We did a POC of TruRisk, but we do not have the whole package yet. It shows us which assets are critical, so we can prioritize them.  

The integration of Qualys Gateway Scanner is my favorite feature. The patches are downloaded to QGS in our environment and deployed, saving bandwidth. The patch logging and policies have been helpful. The dashboard shows you when the patch has been applied to your assets. 

The patch model is critical. The solution classifies the vulnerabilities based on their severity and assigns an asset risk score, so I can focus on the critical ones first. The greater the score, the more vulnerable and risky the assets are. I can prioritize the assets directly from the UI. It doesn't take any skill to evaluate the risk. 

The VMDR feature is critical because I can permanently see the associated patch in my patch management model when I find a vulnerability. From there, deploying the patch on my assets is a short step. I don't need to do manual work.

There is room for improvement in terms of adding more patches. Not all patches are available for deployment on Qualys Patch Management, so collaborating with various vendors to provide new patches would be beneficial.

We have used Qualys for four years. 

I rate Qualys' stability eight out of 10. 

I rate Qualys eight out of 10. They're great. Customer service is responsive to feature requests. They'll add something if it's valuable and many users ask for it. 

Positive

We have used BigFix before, which was just a patching tool. You can push all patches through the case, but it doesn't have the same features or UI Qualys has. 

Deploying Qualys was slightly challenging due to the internal IT processes rather than any shortcomings from Qualys. It took us about two months. We had a team from both the security and IT departments involved in the deployment. Two or three people were from security, while approximately six were from the IT team, including networking and server teams.

Qualys is fairly priced. 

If Qualys can provide all patches and the ability to deploy custom patches, it would make them unbeatable.

Initially, we were using Qualys Patch Management for TruRisk vulnerability detections. I am on the risk operations side, so I also used it to determine ways to fix a particular vulnerability and address it.

I used Patch Management with Qualys VMDR when I was doing a proof of concept with Patch management. It works well. To me, it was just a shortcut or another way to patch a system versus doing it with the job, but it was straightforward.

We were able to realize its benefits immediately. Patch Management gave my side and the security side a single pane of glass and the ability to better coordinate the delivery of patches. After using it, I felt a lot more comfortable with it. 

TruRisk gives the confidence that we are attacking the major issues, but we do leverage our security team to make the final decision. It does help.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

Currently, we are in a hybrid environment until we fully transition over. We have Ivanti and Qualys. They are two separate agents, two separate infrastructures. Moving to Qualys Patch Management gives us instant access to all of the systems we have. We do not have to worry about building up new infrastructure. We just go and start patching. It streamlines everything a lot, especially the dialogue between our teams, that is, the risk side versus the security side. It reduces confusion over patches.

Patch Management has definitely given us the opportunity to do more hands-off patching. Some in my team are manually pushing the patches out. We click a button, schedule it, and shoot it out. We are going to take advantage of zero-touch patching for browsers. We are going to do a lot more scheduled or agent-based patching. It will be hands-off. It will free us up to do more analytical things and spread ourselves out to other tasks.

Patch Management will help us reduce our organization's risk. We have not had the opportunity to start using it the way we want to. We are still early on, but just from what I see, I expect that it would have a significant impact on our ability to patch. Personally, I think the impact will be significant.

We recently got their Patch Management solution, which is the most important thing for me at this time. Previously, vulnerability detection was most valuable.

Patch Management's risk-based approach to creating automation to address risks is very important. I just came from the conference, and I understand it a lot more. It definitely is important. I like it a lot.

I would like a more clear distinction in terms of something I call a patch contract. A patch contract is a bundle of patches that we are going to roll out. I would like to reference those patches from separate jobs. They explained at a conference that it cannot be done, but that is my main complaint. I wish that the whole schema was a little bit clearer because there is a little bit of cloudiness around it. Everything else seems to be fairly straightforward.

Additionally, I know there is a cost associated with this, but it would be nice if instead of us having to roll and host our own custom files on AWS or something like that, Qualys could provide some space, even if just a gigabyte or 500 megabytes.

I have been using it for about a year or two.

Overall, I have not experienced any issues with Qualys as a whole, although the security team once mentioned something about the system being down. I will learn more as I get more and more into patching with it.

I have not yet contacted their support.

Neutral

Right now, we are using a mixture of security controls and endpoint management. I have used solutions like Ivanti, Altiris, Intune, and WSUS, among others. I have seen a lot of patch management solutions.

Ivanti is closest to Qualys. Both of them are built on the same Shavlik engine. Qualys is better for my situation because it is cloud-based. I do not have to worry about on-prem things I do right now. I am familiar with Patch Management because underneath it is the same Shavlik engine that is used by Ivanti. I am familiar with the log files and things like that.

That was the easiest thing to do. All the hard work had already been done. After the security team has the agents installed, we start working our magic. It does not get easier than that.

We have not yet fully deployed it, so I cannot say how long it takes to fully deploy it, but getting it established and started was quick.

From what I have heard, Qualys Patch Management is pricey, which is a main barrier to entry. Another aspect that I do not like about Qualys is that they do not add new patch management functionalities to the existing package. It is a separate SKU, so you have to pay more money.

I would rate Qualys Patch Management a nine out of ten.

We use Qualys Patch Management to fix patch vulnerabilities in our environment. We're dealing with machines that have pending updates, and we need to configure our console.

In Qualys, we configure Tanium, and Qualys acts as a collaborator with Tanium in our environment. We address machine details, compare with SSCM tools, and manage assets and hardware. Qualys allows us to automate and fix patches through the tool, achieving a compliance rate of over 95%.

In our environment, the application sometimes crashes, requiring improvement. Additionally, the user interface could be made easier to use, especially for system administrators.

I have been using Qualys for about one year.

We have sometimes escalated questions due to application crashes, which need improvement.

Positive

We previously worked with Microsoft Endpoint Configuration Manager (SSCM) for about two and a half years, yet faced issues with achieving target compliance.

I was not involved in the initial setup of the Qualys solution.

I am not able to give a proper answer regarding the return on investment.

I am not familiar with the pricing or setup cost of the Qualys solution.

Compared to other tools, Qualys is better due to its automation capabilities, which allow us to achieve high compliance rates. 

I rate Qualys Patch Management a ten out of ten.

Qualys has a scanning tool for viruses, vulnerability, and malware detections. They recently launched Qualys Patch Management for patching applications or server sites. We previously used tools like SCCM or Microsoft Intune. Qualys Patch Management is a replacement for all those kinds of tools, but we mainly use it for patching the applications, not the servers.

If a server has two applications, and one has a patch and the other one does not have a patch, you do not need to worry. You just select the server and the patches you want to deploy. If you have selected four patches but only two are applicable, it will only deploy the ones that are applicable. The other two are skipped so that there are no issues or errors with the existing image. That is an advantage of this solution.

There is no automation. You have to manually create a job. There is a scanned report, and based on that, you can select a patch or server. You can select multiple servers or multiple patches. 

We have used the solution's Risk Reduction Recommendation Report. After the remediation, we run the scan again. It is simple.

Using Patch Management, we have not seen any improvement in our patch rates.

For a few applications, you do not need to go and download the patches from the network or somewhere else. They have the patches or the latest updates in the directory. You can just select a patch and deploy it to a server. You can create a patch job and select the patch. Everything is within the interface. You do not need to go out of it.

It is user-friendly. It is not complex.

The Qualys Scanning tool is one of the best tools for scanning purposes, virus detection, and vulnerability detection, whereas Qualys Patch Management is helpful only in a few cases, not in all cases.

There are multiple tools for patching, such as SCCM, Intune, or Ivanti. One of the challenges that we have faced with the Patch Management tool is that you cannot patch all the things. There are some limitations, whereas, in SCCM, we can create a package and just deploy that through it. Anything is deployable through SCCM, whereas Patch Management is very selective. They should support more applications. For example, you cannot push a patch on Oracle.

There is not much automation. For example, with SCCM, you can push anything, but that is not the case with Qualys.

We have faced a few corruptions while patching. Even though a patch is feasible through Qualys Patch Management, when we try to push it to our servers, we face some errors or interruptions. When we push the patch, something gets blocked and the patch fails. Even if the patch is within the directory of Qualys, we cannot push it. There are some errors.

The Qualys support team can be more communicative. Just sharing a knowledge-based article does not help all the clients or all people. A knowledge-based article might be useful for a technical person, but it does not help someone who is not very technical. They should have a call-based approach. Even companies like Microsoft provide an option for a call for a support case, which allows you to discuss the issue and troubleshoot it quickly. Qualys should improve their support. 

I have been using this solution from the beginning or since it was launched. It was launched recently. It has been one to two years.

It is stable. I would rate it a nine out of ten for stability.

I would rate it a ten out of ten for scalability. Its scalability is very good. It can be expanded, but it also depends on the licensing part.

It is being used for the whole organization for patch management. We have 70 to 80 users using this solution.

We faced challenges with their support for the issues that we raised. When you raise a case, they just share a knowledge-based article with you. It is very tough to catch them over a call and have a live troubleshooting session to understand the issue. You cannot just be dependent on the knowledge base articles. Sometimes, you have to go in-depth and do research to understand the cause of the issue. Their support team was not very helpful or communicative.

The experience might vary based on the priority of the case. It might be different when you have a high-priority case. The cases that we raise are at P3 or P4 levels because we are not completely dependent on Qualys Patch Management. For a P1 or P2 case, they might have a different approach.

Neutral

Previously, we were using Ivanti and SCCM. They are more comprehensive, and you can push anything. You can even create a script or a package and push it through them, and it will be deployed on all the servers. Qualys Patch Management is very limited compared to SCCM, Intune, or Ivanti. Having said that, it is quite new. It was launched one or two years ago. They need some time to improve their services.

Its deployment is straightforward.

We have both cloud and on-prem servers. We do patch deployment on both. We can do an immediate deployment or a scheduled deployment. It takes time based on the application size, server count, etc. If the file is of a few MBs, it does not take more than one or two minutes. If it is a huge file, then it will take longer, but everything is reasonable. I have not seen any delays. The run time is good. It is not an issue. The only issue is that a few blockers need to be corrected.

It does not require much maintenance, but the support should be better from their side.

Once you have deployed a job, it runs automatically. You need to go and check it only if there is a failure. You do not need to manually manage anything. Once a job is created, it runs automatically at a scheduled time. All that is automatically done at the backend.

It is affordable, but they should provide features as per the rate they are charging. We have a big infrastructure with about 80,000 licenses. We expect better support from the Qualys team. So, it is affordable, but more features should be there, and the support should be better.

At this time, I would not recommend Qualys Patch Management because there are multiple features that need to be developed from their end. You cannot deploy everything through it. I might recommend it in the future. It needs some time to be fully developed.

I would rate Qualys Patch Management a six out of ten because of the support quality and lack of features.

I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.

We can prioritize vulnerabilities using Qualys' risk-based approach. The platform offers a prioritization tab that allows us to tailor the process to the company's requirements. Whether the focus is on risk, asset criticality, or exploitability, we can leverage the prioritization tag in Qualys to manage and address vulnerabilities effectively.

It's important that Qualys Patch Management and VMDR integration encompasses all necessary patches and configuration changes to address vulnerabilities identified by VMDR. This integration ensures real-time detection and remediation of vulnerabilities.

The TruRisk Insights allows us to prioritize and remediate threats without involving our security team.

Qualys Patch Management provides a single source of information to access asset and vulnerability data. Granting the IT team access to the Patch Management module lets them retrieve information through alerts. Through this module, the team receives email alerts about patch failures, enabling them to redeploy patches and investigate the cause of failure, such as machines rebooting at the scheduled time.

Qualys Patch Management helps prioritize vulnerabilities based on risk and asset criticality, facilitating the patching process. 

The integration with ServiceNow helps close tickets faster by automating tasks and alerting the IT team when a patch has failed.

Patch management provides more clarity from the dashboard and console, which is very helpful for our team to prioritize and take prior action.

Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.

I have been using Qualys Patch Management for more than two years.

The customer support team is quite responsive and always ready to assist. When I submit a request, they promptly contact me and, if necessary, schedule a call to efficiently address my questions, even during my early days with the product.

Positive

Previously, we used BigFix and SSCM modules for patch application but have since transitioned to Qualys Patch Management for a more streamlined approach. Qualys Patch Management provides a single console for patch management and VMDR, simplifying operations and automating reporting.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.