Qualys Patch Management Reviews

I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.

We can prioritize vulnerabilities using Qualys' risk-based approach. The platform offers a prioritization tab that allows us to tailor the process to the company's requirements. Whether the focus is on risk, asset criticality, or exploitability, we can leverage the prioritization tag in Qualys to manage and address vulnerabilities effectively.

It's important that Qualys Patch Management and VMDR integration encompasses all necessary patches and configuration changes to address vulnerabilities identified by VMDR. This integration ensures real-time detection and remediation of vulnerabilities.

The TruRisk Insights allows us to prioritize and remediate threats without involving our security team.

Qualys Patch Management provides a single source of information to access asset and vulnerability data. Granting the IT team access to the Patch Management module lets them retrieve information through alerts. Through this module, the team receives email alerts about patch failures, enabling them to redeploy patches and investigate the cause of failure, such as machines rebooting at the scheduled time.

Qualys Patch Management helps prioritize vulnerabilities based on risk and asset criticality, facilitating the patching process. 

The integration with ServiceNow helps close tickets faster by automating tasks and alerting the IT team when a patch has failed.

Patch management provides more clarity from the dashboard and console, which is very helpful for our team to prioritize and take prior action.

Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.

I have been using Qualys Patch Management for more than two years.

The customer support team is quite responsive and always ready to assist. When I submit a request, they promptly contact me and, if necessary, schedule a call to efficiently address my questions, even during my early days with the product.

Positive

Previously, we used BigFix and SSCM modules for patch application but have since transitioned to Qualys Patch Management for a more streamlined approach. Qualys Patch Management provides a single console for patch management and VMDR, simplifying operations and automating reporting.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.

We use Qualys Patch Management to fix patch vulnerabilities in our environment. We're dealing with machines that have pending updates, and we need to configure our console.

In Qualys, we configure Tanium, and Qualys acts as a collaborator with Tanium in our environment. We address machine details, compare with SSCM tools, and manage assets and hardware. Qualys allows us to automate and fix patches through the tool, achieving a compliance rate of over 95%.

In our environment, the application sometimes crashes, requiring improvement. Additionally, the user interface could be made easier to use, especially for system administrators.

I have been using Qualys for about one year.

We have sometimes escalated questions due to application crashes, which need improvement.

Positive

We previously worked with Microsoft Endpoint Configuration Manager (SSCM) for about two and a half years, yet faced issues with achieving target compliance.

I was not involved in the initial setup of the Qualys solution.

I am not able to give a proper answer regarding the return on investment.

I am not familiar with the pricing or setup cost of the Qualys solution.

Compared to other tools, Qualys is better due to its automation capabilities, which allow us to achieve high compliance rates. 

I rate Qualys Patch Management a ten out of ten.

Qualys has a scanning tool for viruses, vulnerability, and malware detections. They recently launched Qualys Patch Management for patching applications or server sites. We previously used tools like SCCM or Microsoft Intune. Qualys Patch Management is a replacement for all those kinds of tools, but we mainly use it for patching the applications, not the servers.

If a server has two applications, and one has a patch and the other one does not have a patch, you do not need to worry. You just select the server and the patches you want to deploy. If you have selected four patches but only two are applicable, it will only deploy the ones that are applicable. The other two are skipped so that there are no issues or errors with the existing image. That is an advantage of this solution.

There is no automation. You have to manually create a job. There is a scanned report, and based on that, you can select a patch or server. You can select multiple servers or multiple patches. 

We have used the solution's Risk Reduction Recommendation Report. After the remediation, we run the scan again. It is simple.

Using Patch Management, we have not seen any improvement in our patch rates.

For a few applications, you do not need to go and download the patches from the network or somewhere else. They have the patches or the latest updates in the directory. You can just select a patch and deploy it to a server. You can create a patch job and select the patch. Everything is within the interface. You do not need to go out of it.

It is user-friendly. It is not complex.

The Qualys Scanning tool is one of the best tools for scanning purposes, virus detection, and vulnerability detection, whereas Qualys Patch Management is helpful only in a few cases, not in all cases.

There are multiple tools for patching, such as SCCM, Intune, or Ivanti. One of the challenges that we have faced with the Patch Management tool is that you cannot patch all the things. There are some limitations, whereas, in SCCM, we can create a package and just deploy that through it. Anything is deployable through SCCM, whereas Patch Management is very selective. They should support more applications. For example, you cannot push a patch on Oracle.

There is not much automation. For example, with SCCM, you can push anything, but that is not the case with Qualys.

We have faced a few corruptions while patching. Even though a patch is feasible through Qualys Patch Management, when we try to push it to our servers, we face some errors or interruptions. When we push the patch, something gets blocked and the patch fails. Even if the patch is within the directory of Qualys, we cannot push it. There are some errors.

The Qualys support team can be more communicative. Just sharing a knowledge-based article does not help all the clients or all people. A knowledge-based article might be useful for a technical person, but it does not help someone who is not very technical. They should have a call-based approach. Even companies like Microsoft provide an option for a call for a support case, which allows you to discuss the issue and troubleshoot it quickly. Qualys should improve their support. 

I have been using this solution from the beginning or since it was launched. It was launched recently. It has been one to two years.

It is stable. I would rate it a nine out of ten for stability.

I would rate it a ten out of ten for scalability. Its scalability is very good. It can be expanded, but it also depends on the licensing part.

It is being used for the whole organization for patch management. We have 70 to 80 users using this solution.

We faced challenges with their support for the issues that we raised. When you raise a case, they just share a knowledge-based article with you. It is very tough to catch them over a call and have a live troubleshooting session to understand the issue. You cannot just be dependent on the knowledge base articles. Sometimes, you have to go in-depth and do research to understand the cause of the issue. Their support team was not very helpful or communicative.

The experience might vary based on the priority of the case. It might be different when you have a high-priority case. The cases that we raise are at P3 or P4 levels because we are not completely dependent on Qualys Patch Management. For a P1 or P2 case, they might have a different approach.

Neutral

Previously, we were using Ivanti and SCCM. They are more comprehensive, and you can push anything. You can even create a script or a package and push it through them, and it will be deployed on all the servers. Qualys Patch Management is very limited compared to SCCM, Intune, or Ivanti. Having said that, it is quite new. It was launched one or two years ago. They need some time to improve their services.

Its deployment is straightforward.

We have both cloud and on-prem servers. We do patch deployment on both. We can do an immediate deployment or a scheduled deployment. It takes time based on the application size, server count, etc. If the file is of a few MBs, it does not take more than one or two minutes. If it is a huge file, then it will take longer, but everything is reasonable. I have not seen any delays. The run time is good. It is not an issue. The only issue is that a few blockers need to be corrected.

It does not require much maintenance, but the support should be better from their side.

Once you have deployed a job, it runs automatically. You need to go and check it only if there is a failure. You do not need to manually manage anything. Once a job is created, it runs automatically at a scheduled time. All that is automatically done at the backend.

It is affordable, but they should provide features as per the rate they are charging. We have a big infrastructure with about 80,000 licenses. We expect better support from the Qualys team. So, it is affordable, but more features should be there, and the support should be better.

At this time, I would not recommend Qualys Patch Management because there are multiple features that need to be developed from their end. You cannot deploy everything through it. I might recommend it in the future. It needs some time to be fully developed.

I would rate Qualys Patch Management a six out of ten because of the support quality and lack of features.

By implementing this solution, we wanted to fix vulnerabilities as soon as possible in both software and operating systems. Qualys Patch Management gives us the power to solve vulnerabilities quickly and keep our environment safe.

We have not yet seen many benefits because we are still deploying patch policies. We are doing that first with a test group. We have not done 100% patch management. By next month, we will have 100% management through Qualys Patch Management. We expect to see about 99.9% of assets updated all the time. We have great expectations.

We can create rules based on risk. We do not make it 100% automatic for servers because there is a higher chance of issues, but for PCs, we can do 100% automation. Based on the risk for an operation, we can create some sort of policies.

We are deploying both Qualys Vulnerability Management and Qualys Patch Management. Qualys Vulnerability Management was deployed one month ago. For the last month, we have been working to deploy Qualys Patch Management. They are being deployed side by side. The benefit of this is that Qualys Patch Management can solve all the vulnerabilities found by Qualys Vulnerability Management. One part of the tool detects the vulnerabilities and then the other part fixes them. They work together.

Patch Management will help reduce our organization's risk, but it is hard to say how much it will reduce the risks.

Policy enforcement requires less time for my team because users cannot avoid applying updates. The user can skip two or three times or for a maximum of eight hours. After that, there is no way to avoid it. It helps us keep the environment safe.

Its implementation is too recent to make any judgments about areas needing improvement. In terms of pricing, of course, it is not free. Cheaper is always better. If possible in the future, it would be good if it is cheaper.

It has been deployed very recently and we are still in the process of deploying it throughout our organization.

So far, stability has been good with no issues.

I know that as a cloud solution, it would be easy to scale, but I do not have any experience with it. We just deployed it, so there is no need to scale at this time.

I have not had to contact support, so I cannot comment on customer service.

Neutral

We previously used Microsoft WSUS. However, it did not offer the same level of management and enforcement as Qualys Patch Management.

Qualys Patch Management gives me all kinds of management options. I have good visibility into vulnerabilities on each asset. Microsoft WSUS does not give me this sort of management level. We also could not meet the expectation of a 99.9% patch rate with Microsoft WSUS.

It is too early to determine the return on investment.

The licensing cost is more than 2,000 for the whole Americas region.

We have not integrated Qualys Patch Management with CMDB or ITSM tools for ticket management. This Qualys Patch Management deployment is done at the Americas region level, and the ITSM that we have in place is only in South America. Companies in the Americas region do not have ITSM, so there is no integration yet.

I would rate Qualys Patch Management an eight out of ten.

Qualys Patch Management is used to address and remediate server vulnerabilities. It provides a dashboard with information on remediation steps, vulnerability severity, impact, and other relevant details. This tool effectively manages and mitigates security vulnerabilities, ensuring the security of our infrastructure.

Qualys Patch Management provides visibility into our infrastructure's security vulnerabilities, enabling us to demonstrate to external auditors that our infrastructure is secure and vulnerabilities are mitigated. This has strengthened our security posture and significantly improved our overall security.

The TrueRisk automation helps us remediate vulnerabilities without involving our security team.

Qualys Patch Management provides a single source for asset and vulnerability monitoring, allowing us to view remediation status and severity levels from a centralized dashboard.

It is user-friendly and easy to learn, even for someone without experience, enabling them to master the tool within four days.

Qualys Patch Management has helped reduce our organization's risk by 70 to 80 percent.

The most valuable feature is the ability to search for vulnerabilities using their QID. This provides comprehensive information, including severity, CVE, and impact, in an informative dashboard. This allows for a clear understanding of the scope of the infrastructure affected and the specific servers impacted.

The Qualys agent sometimes encounters authorization issues, leading to inaccurate vulnerability reports. Additionally, server updates cause duplicate assets to appear, hindering accurate asset identification.

I have been using Qualys Patch Management for approximately two and a half years.

I would rate the stability of Qualys Patch Management as nine out of ten.

I would rate the scalability of Qualys Patch Management as eight out of ten.

Qualys' technical support is good. We raised some issues, and their response was quick and effective, resolving everything on time.

Positive

The initial setup for one or two servers was straightforward and did not take much time. It was set up before I joined the organization, so my direct experience with a larger-scale setup is limited.

I would rate Qualys Patch Management eight out of ten.

We have three environments: production, development, and QA. To perform patching, we must coordinate with the application team and schedule downtime. Due to the critical nature of the business application running on the production servers, we cannot automate patching; instead, we use satellite servers.

Our organization has between 20 and 30 people who use Qualys Patch Management.

In the two and a half years I've used Qualys Patch Management, I haven't observed any need for maintenance on the tool.

Qualys Patch Management is a valuable tool for large organizations seeking to maintain a secure infrastructure.

Our use cases for Qualys vary depending on the client. I work for a Paris-based French company that provides cybersecurity and metadata services to multiple clients. We primarily use Qualys to check the core infrastructure that hosts everything, scanning and remediating vulnerabilities.

We work with multiple teams, so if we identify a patching issue using Qualys, we might need to escalate it to another department. For example, if we identify a vulnerability in a CI/CD tool the DevOps team uses in Terraform, we're not supposed to touch it. We recommend a time frame for the DevOps team to apply the patch. If the issue is high-severity, they may need to address it as soon as possible. We run the scans, get the reports, and create recommendations.

We have integrated Qualys with our homegrown ticketing tool, but we plan to migrate to ServiceNow. It's a gradual process. Microsoft Sentinel, our SIEM solution, sends alerts to our internal detection and monitoring tool, which ServiceNow will soon replace. Our SIEM tool is responsible for monitoring the overall risk, while we use Qualys to report vulnerabilities that need to be patched.

Qualys improved productivity and efficiency after we became certified and familiar with the tool. However, our efficiency ultimately doesn't rely on us. We're not free to do whatever we want because we need to wait for the approval of our bosses or clients. We only note everything on our customized reports inspired by Qualys' core reporting. 

Our clients typically have a 30 percent security score, and we aim to raise that to at least 90 percent through patch management and vulnerability monitoring and detection so their infrastructure security improves daily.  

Qualys' best feature is its reporting. At first, it may seem a little complicated to a beginning user, but it's helpful once you get used to it. Most of these scans run automatically. We set the scans up for the client to run at daily, weekly, or monthly intervals, depending on how critical the server or other hardware is.

According to the scan target, we adopt a risk-based or patch-based approach. Our company has a large SOC team that covers more than just the scanning aspect. Qualys is one tool we use. Regarding the managerial component, we have documentation and a set of steps to follow. We must also follow all the protocols, regulations, and standards, such as ISO-27000 or GDPR if you are in Europe.  

Qualys could improve its capacity to fix vulnerabilities on VMware and other virtualized environments. The reporting could also be enhanced to make it more user-friendly. It's difficult for beginners to learn.  

I have used Qualys for two and a half years.

We've had no stability issues with Qualys because most clients use high-speed fiber optic connections. 

I rate Qualys support nine out of 10. I've contacted Qualys support four or five times. They're highly efficient. There were some delays and technical issues the first time I called them, but the rest of my experiences went smoothly.

Positive

We used Nessus, but we switched. It was a company decision because it has a partnership with Qualys' parent company. Before that, we used Metasploit

Deploying Qualys was initially overwhelming, but after a lot of tutorials and testing, we got used to it. Three people were involved in the first six months, but now I'm the only one using it. We had some help from Qualys in the first few months.  

I'm unaware of Qualys' exact price, but it's more expensive than Nessus. With technological products, you need to pay to get the best. 

I rate Qualys eight out of 10. It's a great tool, and if I consulted for a client, I would recommend it.