Qualys Patch Management Reviews

Our primary use case for Qualys Patch Management is vulnerability remediation and running scripts. It helps us detect vulnerabilities in our environment and identify specific patches that are required. If we want to mitigate any vulnerabilities, we can run scripts. It is utilized on a very large scale in our organization.

Before Qualys Patch Management, the challenge that we faced was that we were able to detect the vulnerabilities using Qualys VMDR, but mitigation was not easy. Qualys Patch Management helped us to identify which specific patch is required and which patch is missing from our environment. Most of the time, we considered the most suited patches to make sure that all the vulnerabilities get remediated but that was not always the case. We also wanted to see the old patches that were missing. Qualys Patch Management helped us there.

Qualys Patch Management helped us to automate processes. We did not have to do anything manually. All we had to do was write a particular query command, and based on that, we could time or schedule our patches. If a patch is not properly installed or is crashing on the system, there is the ability to roll back that particular patch. We can see what caused the problem and fix the issue.

We have an improved vulnerability detection rate, and the remediation timelines have been reduced significantly. Earlier, if 100 vulnerabilities were detected, only 50 might be closed after several months. Now, with Qualys Patch Management, the number of vulnerabilities can drop from 100 to 20 in less than a month.

We have information about the severity of the vulnerability. QDS also gives us a score of the vulnerability severity. Accordingly, we also have the categorization of our assets. Qualys VMDR creates the scoring of the assets for us. It tells us what is the asset criticality and the risk score of the asset. Based on that entire calculation, it helps determine which asset to prioritize and fix. It helps us identify what needs to be prioritized.

We use Qualys VMDR with Qualys Patch Management. It is a combined package. Qualys VMDR helps with detection. The data about the vulnerabilities detected by the agents and the scanners is being fed into the Patch Management model which helps to know how to mitigate them. This integration saves a lot of time and makes business operations easy. As soon as we perform a scan, the data gets populated in the Patch Management module. We can see all the data in the Patch Management module. By entering the asset name or the IP address of the host, we can see all the information already over there. We do not have to sync anything or have to pull anything separately using the APIs.

Qualys Patch Management has removed the requirement of approval from the security team for patches because the patches recommended by Qualys are required from the security standpoint itself. They are not showing any patches for functionality improvement or something like that. That is why the security team's intervention is not required anymore. The patching team can schedule and deploy patches.

We now have a single source of truth. Previously, everyone was relying on their own inventory or reports, so the chances of errors were pretty high because there could be data mismatch. Now that we have a single source of truth, there is less chance of errors. All the teams are seeing the same data.

Qualys Patch Management has not reduced a lot of costs. There is about a 15% reduction. It has improved our patch rate by about 60% over the last one to two years.

We have integration with ServiceNow for ticket management. As soon as the patches have been deployed, tickets are getting resolved. When the rescans happen, there is again a revalidation of whether the vulnerabilities have been closed or not. The process of resolving or closing the tickets is 40% to 50% faster than before.

Qualys Patch Management has reduced our organization's risk by 40% to 50%. 

The most valuable features of Qualys Patch Management include its ability to automate patch deployment for hundreds or thousands of assets, reducing our reliance on the IT team to perform these tasks manually. It is able to fix most of our vulnerabilities. The count is reducing significantly. We do not have to rely on our IT team to manually log in to systems or deploy using the AD group. We can just put in a command and schedule the patches for our hundreds or thousands of assets. The vulnerability count has reduced significantly.

Secondly, it helps us not just deploy a patch, it also helps us to install a particular software if it is required from an IT standpoint. Tomorrow, if the organization has a requirement for certain software to be installed on a device, Qualys Patch Management has that capability as well. It can install that software on the machine irrespective of whether it is a security tool or some other tool. We can just put in the URL or source path of it, and it will install that software.

The last one is the registry remediation. It is not just limited to patch management or patch deployment. We can also create a script to fix a particular vulnerability that cannot be fixed through patch deployment. It might require logging into the system, opening the registry keys, and editing some values to it. We can create a script for that.

Some patches require OEM consent or must be released by OEM. For example, if an outdated version of a tool like Falcon is detected, Qualys flags it as a vulnerability, but cannot automate the patch update. We can not simply download and do an upgrade. Improved partnerships with OEMs could resolve this.

It works with Windows and Linux, but Mac patch support is not yet available.

We have been using Qualys Patch Management for approximately five years. We were given a subscription to Patch Management along with the VMDR module.

I would rate the stability of the solution a ten out of ten. It is a stable solution.

So far, Qualys Patch Management fits our company requirements. However, Mac patch support is not available, which could be improved. Overall, I would give it a nine out of ten.

Our organization has a global presence. We have offices in Asia, Europe, and America. The Patch Management solution is being used by 30 to 40 teams. We have the infra team, the security team, and the managers keeping track of what is going on and whether everything is on track.

Whenever we raise a ticket, Qualys has a quick response time of 48 hours. They provide the necessary resolution once all information is shared. I would rate their support a nine out of ten.

Positive

Before using Qualys Patch Management, my team used SCCM. However, there were challenges. It did not detect required security patches effectively and had limitations on asset detection. The number of vulnerabilities was still pretty high even after deploying the patches.

There were also limitations in terms of asset detection. Certain types of assets did not work with SCCM. Qualys provides better asset detection.

Qualys Patch Management works with Windows and Linux. We do not have to use different tools. 

The setup was straightforward and quick. We just had to connect with a Qualys partner. They set up the cloud environment for us and gave us the URL and the credentials.

As soon as the contract application was done, it took about a week to get the cloud environment set up and ready.

It does not require any maintenance from our side. Qualys takes care of its maintenance. There is a periodic maintenance schedule every quarter. 

The implementation was supported by a partner at Qualys who set up the cloud environment.

Qualys Patch Management comes as part of a bundled package with several modules, making it a cost-effective deal for us. I cannot speak to the separate cost, as we have always used it as part of the package.

I would recommend Qualys Patch Management to others because it is user-friendly and has a wide database of vulnerabilities and patches. I am fond of Qualys, having started my journey with them. Overall, I would rate the solution a ten out of ten.

We use Qualys Patch Management to detect open vulnerabilities and manage patches.

Qualys Patch Management has significantly improved our vulnerability scanning and patch management. It helps us to detect open vulnerabilities and missing patches across on-prem and cloud assets, as well as on remote endpoints. It is efficient and the communication with the support team is also good.

It also provides a high level of accuracy. There is better efficiency in terms of operating system patch management.

Its efficient scanning system has made us continue using this system. We have been renewing our partnership with Qualys every year. We are satisfied with what we are getting.

Qualys Patch Management gives a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated. For remediation and mitigation, we have a company called iZOOlogic. We are using their services for mitigation.

Qualys Patch Management has improved our patch rate by 30% to 40%, but we are targeting about a 90% patch rate.

We have been able to patch Windows, Linux, and Mac devices with Qualys Patch Management.

The most valuable feature of Qualys Patch Management is the support and service provided by Qualys. The feedback that I got from our team is that Qualys' team is very supportive. They are always there to help us and solve queries in real-time. I liked the service aspect.

Its overall functionality is good. I like the way it identifies and understands the vulnerabilities and the way it integrates. We swiftly get information from the platform.

It would be beneficial to have more efficiently scheduled task deployments that are tailored to specific asset types or deployment needs.

We have been using Qualys Patch Management for four to six years.

The solution is stable, though there is always room for betterment. I would rate it eight out of ten because it could be improved.

Qualys Patch Management is very much scalable. I would rate its scalability as eight out of ten.

We have about 20 people working with Qualys products. They also handle other products. 

Qualys' technical support is fantastic. The support team is always on their toes, providing excellent service, for which I would give a five-star rating.

Positive

Before using Qualys, we were using a CheckPoint legacy system. We do regular performance reviews and assessments, and we switched based on a set of metrics, including reliability, cost, and other parameters.

Its deployment is quick. It typically takes a week.

We are not able to quantify the ROI, but we are getting a good output.

Pricing is on the higher side. We found it costly compared to other vendors.

We extensively evaluate vendors across industries.

I would recommend Qualys Patch Management because of its efficiency, scalability, and excellent support. 

I would rate Qualys Patch Management an eight out of ten.

We have been using Qualys Patch Management alongside vulnerability management. We utilize it to manage high and critical vulnerabilities by prioritizing patches based on asset value and vulnerability score. We rate our asset with an asset value. Along with that, once we have a vulnerability score, we prioritize patches and servers that are high and critical. That is how we utilize both vulnerability management and patch management.

The risk-based approach provides a better way of patching. It helps identify criticalities based on asset value, enhancing decision-making.

Qualys Patch Management has helped us reduce the overall risk in our environment by integrating with vulnerability management and VMDR, allowing us to address risks based on asset value and risk levels. It is important for us that it is integrated with VMDR so that we are aware of the vulnerabilities in our system and can apply patches as per the associated risk, asset value, and threat to the environment. It is very important to integrate these tools. It helps reduce vulnerabilities through diligent patch application and improves overall efficiency.

TruRisk score is helpful for us, but we still have to ensure the security team is involved in the governance process to ensure that we are taking care of the entire environment. We include the security team on the governance side but the implementation and the activity can be done without them.

There has been an improvement in our patch rate. The efficiency in our environment increased by 30% over three years, compared to the tool we used previously. The duration of patching decreased in the environment.

The Risk Reduction Recommendation Report is good. It gives an overview of what can be remediated soon. It gives a good understanding of which patch can remediate the majority of the risks in the environment. It helps us see which vulnerabilities would reduce the most risk within our organization.

We have all the information on one page. The dashboard provides comprehensive information on one page, making it easy to apply patches and monitor pending updates. It helps a lot from the governance point of view to see what exactly is missing and what exactly has been applied.

They have already covered most of the things. I do not see a lot of opportunities for improvement. It is pretty good. However, it would be good to have more widgets and AI-generated reports. I have not seen anything related to AI with Qualys. It would be beneficial for Qualys to incorporate AI-generated tools for Patch Management and VMDR. This could assist in managing risks, providing AI-generated reports, and creating risk letters for clients, which can streamline communication.

I have been using Qualys Patch Management for more than three years.

We did not encounter any significant stability issues, except during a notified period when they were transitioning to another cloud vendor or fixing an issue.

Customer service is responsive and effective. They are pretty fast. They generally respond to inquiries and provide a resolution within a couple of hours. So far, I have not seen a case where the resolution was not provided within 48 hours.

Positive

We previously used BigFix. We switched to Qualys because BigFix moved from IBM to HCL, and we wanted a tool certified for PCI compliance. Qualys is PCI compliant.

We have a hybrid deployment model. It was an easy process because we knew what we needed to configure the firewall rules and ports. The documentation and other information was provided by the Qualys partner. It did not take us a long time to get it deployed and test it out. We did a PoC, and everything worked fine.

Overall, the setup process was straightforward, and with good documentation and support, we deployed it within our change management framework in about two weeks.

It does not require any maintenance, but we need to ensure that we get rid of the licenses when not required or request licenses when we have more devices planned to be onboarded. That is something we need to look into. When we do not have a device or we do not need a scanner in a particular location, we can get rid of it, so from a maintenance point of view, there is not much.

This deployment also involved integration with vulnerability management. We had a project manager coordinating efforts with the vendor, a documentation coordinator, and a team to handle change management and firewall configurations. Overall, we had three people. Effort-wise, it did not require a lot. They had to coordinate a couple of times for two to three hours.

Its price is competitive in the market. Compared to other solutions like Rapid7, Qualys offers a favorable price point and robust features.

Overall, I would rate Qualys Patch Management a nine out of ten.

I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.

We can prioritize vulnerabilities using Qualys' risk-based approach. The platform offers a prioritization tab that allows us to tailor the process to the company's requirements. Whether the focus is on risk, asset criticality, or exploitability, we can leverage the prioritization tag in Qualys to manage and address vulnerabilities effectively.

It's important that Qualys Patch Management and VMDR integration encompasses all necessary patches and configuration changes to address vulnerabilities identified by VMDR. This integration ensures real-time detection and remediation of vulnerabilities.

The TruRisk Insights allows us to prioritize and remediate threats without involving our security team.

Qualys Patch Management provides a single source of information to access asset and vulnerability data. Granting the IT team access to the Patch Management module lets them retrieve information through alerts. Through this module, the team receives email alerts about patch failures, enabling them to redeploy patches and investigate the cause of failure, such as machines rebooting at the scheduled time.

Qualys Patch Management helps prioritize vulnerabilities based on risk and asset criticality, facilitating the patching process. 

The integration with ServiceNow helps close tickets faster by automating tasks and alerting the IT team when a patch has failed.

Patch management provides more clarity from the dashboard and console, which is very helpful for our team to prioritize and take prior action.

Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.

I have been using Qualys Patch Management for more than two years.

The customer support team is quite responsive and always ready to assist. When I submit a request, they promptly contact me and, if necessary, schedule a call to efficiently address my questions, even during my early days with the product.

Positive

Previously, we used BigFix and SSCM modules for patch application but have since transitioned to Qualys Patch Management for a more streamlined approach. Qualys Patch Management provides a single console for patch management and VMDR, simplifying operations and automating reporting.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.

We are using the Qualys Patch Management and VMDR solution at a client location.

We primarily use Qualys Patch Management for the company's infrastructure. We utilize the core Patch Management module to remediate and manage patches. We mainly use it to address zero-day vulnerabilities and swiftly deploy patches across a large number of devices.

Whenever Microsoft releases any zero-day vulnerabilities, they provide a workaround. We are able to push that workaround from the Patch Management module. We can push the registry key changes or use the PowerShell script. We push changes to almost 600 devices in ten minutes. It helps us ensure our infrastructure security.

Qualys Patch Management has significantly improved our visibility into vulnerability remediation and patch severity. The solution has enabled us to remediate a large number of vulnerabilities and reduce our attack surface effectively.

We can track live updates and present dashboards to management, which has increased their confidence in our security posture. We can see the progress while pushing the patches. We have VMDR dashboards and reports. The reports are user-friendly, and everyone can understand these reports. We could also present them to the management. They were also happy to see the progress. They had visibility.

We have not implemented much automation. We are still in the early stages of this solution and testing out the possibilities. We had an issue because of the requirement that every server should be connected to the Internet before downloading the patches, but QGS was very helpful with that. QGS helps to ensure that we are able to patch devices that are not connected to the Internet.

We are able to prioritize the vulnerabilities and remediation. We did not see any discrepancies. With some of the other tools I have used, I have seen so many discrepancies between the vulnerability and the patching.

It helped our teams to work together. We created a separate team for vulnerability remediation. We also could help the patching team and support them in automating patch management. Previously, they were doing it manually on each server.

With Qualys Patch Management, there is an increase in vulnerability remediation. We have remediated almost 100,000 vulnerabilities. That is a huge count. Previously, we used a formula to identify critical vulnerabilities, and we could remediate only a limited number of vulnerabilities. With Qualys Patch Management, we could remediate all the vulnerabilities. We did not exclude any of the vulnerabilities.

There is also an increase in the patch rate. Previously, we could only cover 30% patching, whereas with Qualys Patch Management, within one and a half months, we could achieve 70% to 80% patching. The remaining ones are not included in the initial phase because of certain dependencies. We pushed data to almost 2,000 devices. It took some time for us to do the testing. We tested on ten production devices. After that, we pushed the patches to other devices.

We can download reports and customize the report templates based on the information we need. Our management could clearly see where we are now as compared to before. They could see our progress. They could see that we have fixed all high-priority ones within a month. The remaining ones are of medium and low priority. Even if we do not remediate them, it will be fine.

The Risk Reduction Recommendation Report helped us see which vulnerabilities would reduce the most risk within our organization.

The features I find most valuable in Qualys Patch Management include the ability to manage registry changes and run scripts both pre and post-patching. We have been able to apply workarounds for zero-day vulnerabilities efficiently.

Being able to create patch groups based on QIDs is also valuable. We can identify vulnerabilities using the QID and create a patch group. After that, we can push the patches.

They need to improve the user-friendliness of identifying how many devices are affected by a particular patch. It is not intuitive, and there should be clearer indicators or buttons to access this information easily. Currently, we have to go to the Patch Management module within an asset to see the information but not many people are aware of it. It is not intuitive in terms of seeing how many patches are pending on an asset. Other than that, it has everything we need.

I have been using Qualys Patch Management for approximately one year.

We faced an issue once due to a cloud-related problem that slowed down the console and presented device status inconsistencies, but it was resolved within four hours.

We have not encountered any scalability issues. We operate across multiple locations and have not faced any lags.

We have almost 125,000 users. We are a multinational company. We have offices in about 15 states in India. We are also in two or three other countries. This is why our asset count is high.

Customer service is exceptional. The support team is experienced and responsive, providing solutions quickly without delay. I would rate them a ten out of ten.

Positive

Before Qualys, we used Microsoft SCCM, which was not effective in progress tracking and vulnerability remediation. The tool was basic, the licensing cost was high, and we were only able to address 30% to 40% of vulnerabilities.

We proposed the Qualys Patch Management module. Its cost was almost similar but we got many more features. After implementing it, we could see the progress in vulnerability remediation and patching.

Qualys Patch Management also provided us with a variety of dashboards or criteria. We could see the number of patches done, pending, and failed. Microsoft SCCM did not give us that information. We could also export reports with Qualys Patch Management. This option was not available with Microsoft SCCM. 

In terms of user-friendliness, Microsoft SCCM is more user-friendly. It has fewer features and is very easy. Even a beginner can use Microsoft SCCM, which is not the case with Qualys Patch Management. 

It is a cloud solution, so everything required is provided by Qualys. 

It does not require any maintenance from our end.

We required assistance from the Qualys team for the initial setup and configuration as we were not familiar with setting up and configuring QGS at the time.

It has saved us resources. We now have only two people for patch management.

The pricing is reasonable and competitive. We get many more features at the same price as other solutions such as Microsoft SCCM.

It is worth the money considering the services and features it has. Their support team is also awesome.

We evaluated Rapid7 as an alternative to Qualys but found it lacking in some features that Qualys offered.

I would recommend Qualys Patch Management to every organization looking for better patch management and remediation. I would recommend opting for the cloud version of Qualys Patch Management as it is easier and faster to use compared to an on-premises solution.

I would rate Qualys Patch Management a ten out of ten. It makes my job easy.

Qualys Patch Management is used to address and remediate server vulnerabilities. It provides a dashboard with information on remediation steps, vulnerability severity, impact, and other relevant details. This tool effectively manages and mitigates security vulnerabilities, ensuring the security of our infrastructure.

Qualys Patch Management provides visibility into our infrastructure's security vulnerabilities, enabling us to demonstrate to external auditors that our infrastructure is secure and vulnerabilities are mitigated. This has strengthened our security posture and significantly improved our overall security.

The TrueRisk automation helps us remediate vulnerabilities without involving our security team.

Qualys Patch Management provides a single source for asset and vulnerability monitoring, allowing us to view remediation status and severity levels from a centralized dashboard.

It is user-friendly and easy to learn, even for someone without experience, enabling them to master the tool within four days.

Qualys Patch Management has helped reduce our organization's risk by 70 to 80 percent.

The most valuable feature is the ability to search for vulnerabilities using their QID. This provides comprehensive information, including severity, CVE, and impact, in an informative dashboard. This allows for a clear understanding of the scope of the infrastructure affected and the specific servers impacted.

The Qualys agent sometimes encounters authorization issues, leading to inaccurate vulnerability reports. Additionally, server updates cause duplicate assets to appear, hindering accurate asset identification.

I have been using Qualys Patch Management for approximately two and a half years.

I would rate the stability of Qualys Patch Management as nine out of ten.

I would rate the scalability of Qualys Patch Management as eight out of ten.

Qualys' technical support is good. We raised some issues, and their response was quick and effective, resolving everything on time.

Positive

The initial setup for one or two servers was straightforward and did not take much time. It was set up before I joined the organization, so my direct experience with a larger-scale setup is limited.

I would rate Qualys Patch Management eight out of ten.

We have three environments: production, development, and QA. To perform patching, we must coordinate with the application team and schedule downtime. Due to the critical nature of the business application running on the production servers, we cannot automate patching; instead, we use satellite servers.

Our organization has between 20 and 30 people who use Qualys Patch Management.

In the two and a half years I've used Qualys Patch Management, I haven't observed any need for maintenance on the tool.

Qualys Patch Management is a valuable tool for large organizations seeking to maintain a secure infrastructure.

Our use cases for Qualys vary depending on the client. I work for a Paris-based French company that provides cybersecurity and metadata services to multiple clients. We primarily use Qualys to check the core infrastructure that hosts everything, scanning and remediating vulnerabilities.

We work with multiple teams, so if we identify a patching issue using Qualys, we might need to escalate it to another department. For example, if we identify a vulnerability in a CI/CD tool the DevOps team uses in Terraform, we're not supposed to touch it. We recommend a time frame for the DevOps team to apply the patch. If the issue is high-severity, they may need to address it as soon as possible. We run the scans, get the reports, and create recommendations.

We have integrated Qualys with our homegrown ticketing tool, but we plan to migrate to ServiceNow. It's a gradual process. Microsoft Sentinel, our SIEM solution, sends alerts to our internal detection and monitoring tool, which ServiceNow will soon replace. Our SIEM tool is responsible for monitoring the overall risk, while we use Qualys to report vulnerabilities that need to be patched.

Qualys improved productivity and efficiency after we became certified and familiar with the tool. However, our efficiency ultimately doesn't rely on us. We're not free to do whatever we want because we need to wait for the approval of our bosses or clients. We only note everything on our customized reports inspired by Qualys' core reporting. 

Our clients typically have a 30 percent security score, and we aim to raise that to at least 90 percent through patch management and vulnerability monitoring and detection so their infrastructure security improves daily.  

Qualys' best feature is its reporting. At first, it may seem a little complicated to a beginning user, but it's helpful once you get used to it. Most of these scans run automatically. We set the scans up for the client to run at daily, weekly, or monthly intervals, depending on how critical the server or other hardware is.

According to the scan target, we adopt a risk-based or patch-based approach. Our company has a large SOC team that covers more than just the scanning aspect. Qualys is one tool we use. Regarding the managerial component, we have documentation and a set of steps to follow. We must also follow all the protocols, regulations, and standards, such as ISO-27000 or GDPR if you are in Europe.  

Qualys could improve its capacity to fix vulnerabilities on VMware and other virtualized environments. The reporting could also be enhanced to make it more user-friendly. It's difficult for beginners to learn.  

I have used Qualys for two and a half years.

We've had no stability issues with Qualys because most clients use high-speed fiber optic connections. 

I rate Qualys support nine out of 10. I've contacted Qualys support four or five times. They're highly efficient. There were some delays and technical issues the first time I called them, but the rest of my experiences went smoothly.

Positive

We used Nessus, but we switched. It was a company decision because it has a partnership with Qualys' parent company. Before that, we used Metasploit

Deploying Qualys was initially overwhelming, but after a lot of tutorials and testing, we got used to it. Three people were involved in the first six months, but now I'm the only one using it. We had some help from Qualys in the first few months.  

I'm unaware of Qualys' exact price, but it's more expensive than Nessus. With technological products, you need to pay to get the best. 

I rate Qualys eight out of 10. It's a great tool, and if I consulted for a client, I would recommend it. 

Patch Management checks for new patches that Qualys updates daily. For example, Microsoft and other vendors release security updates, which we add to the asset register to simultaneously deploy them. 

Whenever we updated assets in the past, we used to connect to the Internet to download each one, so every asset used to connect individually to download the patch, consuming a lot of bandwidth. Qualys Gateway Scanner works well for us. QGS has all the patches and deploys them to the systems that need them. For example, if we need to update Adobe Acrobat, we can set up an Acrobat group with all the laptops that have the software and push it out. It previously used a lot of bandwidth to download the packages. Now, instead of downloading it thousands of times, we only need to download 10 to 20 packages.

Qualys enables us to identify vulnerabilities and patch them as quickly as possible. We can fix vulnerabilities without involving the security team using TruRisk. We did a POC of TruRisk, but we do not have the whole package yet. It shows us which assets are critical, so we can prioritize them.  

The integration of Qualys Gateway Scanner is my favorite feature. The patches are downloaded to QGS in our environment and deployed, saving bandwidth. The patch logging and policies have been helpful. The dashboard shows you when the patch has been applied to your assets. 

The patch model is critical. The solution classifies the vulnerabilities based on their severity and assigns an asset risk score, so I can focus on the critical ones first. The greater the score, the more vulnerable and risky the assets are. I can prioritize the assets directly from the UI. It doesn't take any skill to evaluate the risk. 

The VMDR feature is critical because I can permanently see the associated patch in my patch management model when I find a vulnerability. From there, deploying the patch on my assets is a short step. I don't need to do manual work.

There is room for improvement in terms of adding more patches. Not all patches are available for deployment on Qualys Patch Management, so collaborating with various vendors to provide new patches would be beneficial.

We have used Qualys for four years. 

I rate Qualys' stability eight out of 10. 

I rate Qualys eight out of 10. They're great. Customer service is responsive to feature requests. They'll add something if it's valuable and many users ask for it. 

Positive

We have used BigFix before, which was just a patching tool. You can push all patches through the case, but it doesn't have the same features or UI Qualys has. 

Deploying Qualys was slightly challenging due to the internal IT processes rather than any shortcomings from Qualys. It took us about two months. We had a team from both the security and IT departments involved in the deployment. Two or three people were from security, while approximately six were from the IT team, including networking and server teams.

Qualys is fairly priced. 

If Qualys can provide all patches and the ability to deploy custom patches, it would make them unbeatable.