Security Solutions Engineer at a consultancy with 11-50 employees
Real User
Top 10
Nov 18, 2025
Qualys should improve by offering a dedicated testing environment for patches, allowing clients to test patches before deploying them to production. Currently, clients must manage this themselves, creating challenges and difficulties when deploying patches, as a testing environment would simplify the process.
Senior Information Security Analyst at a tech vendor with 1,001-5,000 employees
MSP
Top 20
Oct 23, 2025
One downside is that I've always wanted a dark mode in Qualys Patch Management. Because Qualys is so bright, if you're working in there for a while, you feel blind after extended time. Having a dark mode would be fantastic.
Senior Infrastructure Architect at a tech vendor with 10,001+ employees
Real User
Top 20
Oct 22, 2025
For Qualys Patch Management, I actually talked with their product manager last week during their conference. Unified QQL needs improvement because while they have QQL in Qualys Patch Management, it doesn't pull in the same tokens as VMDR or CCM, so I can't search by similar things. Also, grouping or foldering for Qualys Patch Management jobs would be beneficial because if different groups own different jobs, it all gets dumped into what is essentially a flat file. You're just scrolling through it. You can search, but if we were able to do foldering, that would be great. The third piece would be having an approved catalog. For example, instead of my IT teams doing the patching, I wanted to enable our internal customers, our app teams, to run the jobs themselves but only on patches that we say are good - a curated catalog that the company patch admin approved.Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.
IT Security Manager at a manufacturing company with 10,001+ employees
Real User
Top 5
Oct 21, 2025
One downside of Qualys Patch Management is that I would love to see them speed up the process of verifying patches and then rolling them out. I know for zero-days, it takes them 24 hours to screen a patch before they make it available for patching on systems. If they could speed that up to remediate the vulnerability faster, that would be great.
For those patches that I have to download for Patch Management, I would prefer if I could upload them to a repository instead of having to download them every time.
Automated Patch Rollback:Ability to revert patches automatically if they cause issues post-deployment Patch Approval Workflow:Built-in approval chains for patch deployment based on asset criticality or business unit Offline Patch Deployment:Support for patching air-gapped or isolated systems without internet access. Third-Party Application Coverage:Currently limited support for non-Microsoft and niche third-party applications.Expanding this would reduce reliance on manual patching or other tools. Agent Performance Optimization:The Qualys Cloud Agent can be resource-intensive, especially on older or low-spec systems.Improvements in memory and CPU usage would enhance endpoint stability.
Regarding improvements in Qualys Patch Management, I did not quite understand the downsides they were expecting. Initially, I was confused about where to find and how to use the available features. It was challenging to identify the options we could employ and why we were using them. However, once I gained hands-on experience, I was able to identify the tool's particular features, making it easier for us to use it. The initial phase had some difficulty with the user interface. I would them to improve user training. They have used many colors, which can be confusing, so they should use specific colors for specific options. For critical options, they could make them red, green for medium, and blue for less significant options. This would make it easier for a beginner to recognize which buttons are dangerous to click. Such adjustments can help new users learn the solution faster.
Sr Security Engineer at a tech services company with 10,001+ employees
Real User
Top 20
Mar 20, 2025
I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail. For instance, if I have deployed patches to 100 endpoints, even though the job status says that it is successful, I still have to go deep into endpoints one by one to identify if there are some failures. It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload. For reporting issues, we can check if the findings are addressed in the VMDR, but to verify if the latest patches have been applied on the endpoints or servers, we have to examine scheduled jobs one by one. It would help if error messages were clearer about causes, like endpoints being offline. This improvement would streamline troubleshooting, helping users ensure their PCs are on when deploying patches. Fail status alerts providing specific fail details would facilitate easier checks.
There is room for improvement in the inclusion of more patches. That's the only improvement I would suggest. Not all patches are available on Qualys, so they need to get licenses for other patches as well. That would be more helpful.
I do not have any major problems. I think it's working great. My recommendation would be not just for Patch Management but for Qualys itself. I am using Qualys through a third party or reseller. The issue is that when buying Qualys licenses, from my side, I'm buying for about seven thousand five hundred users or machines. I also need to buy licenses for another seven thousand five hundred for patch management. We dislike having to pay extra. We don't mind paying for additional modules like Certificate View. The test management part requires buying licenses. We are trying to negotiate with our reseller. If they can't provide us, we'll go straight to Qualys and see if they can assist.
Vulnerability Management Engineer at a comms service provider with 10,001+ employees
Real User
Top 10
Dec 27, 2024
I struggled to see patch availability for some applications in the Qualys console, requiring me to use third-party repositories. If repositories could be integrated within the Qualys module, it would simplify the patching process for me. Additionally, there are glitches in the VMDR vulnerability section while querying for particular vulnerabilities. There are unwanted commands in the KQL which sometimes hinder my results. For example, we sometimes could get CVE IDs while running a query, but at other times, we could not.
Some patches require OEM consent or must be released by OEM. For example, if an outdated version of a tool like Falcon is detected, Qualys flags it as a vulnerability, but cannot automate the patch update. We can not simply download and do an upgrade. Improved partnerships with OEMs could resolve this. It works with Windows and Linux, but Mac patch support is not yet available.
Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.
Security Portfolio Manager at a tech vendor with 10,001+ employees
Real User
Top 10
Nov 29, 2024
They have already covered most of the things. I do not see a lot of opportunities for improvement. It is pretty good. However, it would be good to have more widgets and AI-generated reports. I have not seen anything related to AI with Qualys. It would be beneficial for Qualys to incorporate AI-generated tools for Patch Management and VMDR. This could assist in managing risks, providing AI-generated reports, and creating risk letters for clients, which can streamline communication.
Cybersecurity Engineer at a manufacturing company with 51-200 employees
Real User
Top 5
Oct 18, 2024
They are constantly working on making it better. There is no 100% reliable or working application or software. There are caveats with the network passive sensor when it does not merge or something does not feel right, but whenever I have to report on those things, someone from their support team jumps on and tries to help us, which is why I like it. They should keep it up. They can maybe do check-ins with the customers once a month. All the vendors are doing it nowadays. Qualys can do regular check-ins to go over not only all the vulnerabilities but also the overall process to see if there is anything where we might need improvement. They know about the latest trends, and they have meetings about them. They can relay to us some newer information that we do not know, but they saw in our environment. That would be a nice thing.
System Architect at a leisure / travel company with 10,001+ employees
Real User
Top 10
Oct 17, 2024
I would like a more clear distinction in terms of something I call a patch contract. A patch contract is a bundle of patches that we are going to roll out. I would like to reference those patches from separate jobs. They explained at a conference that it cannot be done, but that is my main complaint. I wish that the whole schema was a little bit clearer because there is a little bit of cloudiness around it. Everything else seems to be fairly straightforward. Additionally, I know there is a cost associated with this, but it would be nice if instead of us having to roll and host our own custom files on AWS or something like that, Qualys could provide some space, even if just a gigabyte or 500 megabytes.
Foundation Services Director at a leisure / travel company with 10,001+ employees
Real User
Top 20
Oct 14, 2024
There is room for improvement in the detection logic. It sometimes detects open vulnerabilities that are not truly there, such as orphan files that are not really exploitable. It would be helpful if they were classified as information-only rather than Sev 4 or Sev 5.
System Admin at a insurance company with 501-1,000 employees
Real User
Top 20
Oct 14, 2024
The Qualys agent sometimes encounters authorization issues, leading to inaccurate vulnerability reports. Additionally, server updates cause duplicate assets to appear, hindering accurate asset identification.
SOC - Cyber Security Engineer at a computer software company with 201-500 employees
Real User
Top 10
Sep 25, 2024
Qualys could improve its capacity to fix vulnerabilities on VMware and other virtualized environments. The reporting could also be enhanced to make it more user-friendly. It's difficult for beginners to learn.
The Qualys Scanning tool is one of the best tools for scanning purposes, virus detection, and vulnerability detection, whereas Qualys Patch Management is helpful only in a few cases, not in all cases. There are multiple tools for patching, such as SCCM, Intune, or Ivanti. One of the challenges that we have faced with the Patch Management tool is that you cannot patch all the things. There are some limitations, whereas, in SCCM, we can create a package and just deploy that through it. Anything is deployable through SCCM, whereas Patch Management is very selective. They should support more applications. For example, you cannot push a patch on Oracle. There is not much automation. For example, with SCCM, you can push anything, but that is not the case with Qualys. We have faced a few corruptions while patching. Even though a patch is feasible through Qualys Patch Management, when we try to push it to our servers, we face some errors or interruptions. When we push the patch, something gets blocked and the patch fails. Even if the patch is within the directory of Qualys, we cannot push it. There are some errors. The Qualys support team can be more communicative. Just sharing a knowledge-based article does not help all the clients or all people. A knowledge-based article might be useful for a technical person, but it does not help someone who is not very technical. They should have a call-based approach. Even companies like Microsoft provide an option for a call for a support case, which allows you to discuss the issue and troubleshoot it quickly. Qualys should improve their support.
A common area for improvement in Patch Management, both within our environment and others I've encountered, is the lack of built-in driver updates. Ideally, the system would handle updates for network interface cards, video cards, and other components, eliminating the need to rely on manufacturer-specific tools like Dell Update or HP Update. Integrating these patching options would significantly improve the overall functionality. Qualys Patch Management primarily updates operating systems, third-party software including Adobe products and many more, leaving video card drivers and firmware updates to other tools. This focus on core software is understandable, as driver and firmware updates can be more complex. The price has room for improvement.
Qualys Patch Management optimizes patching and vulnerability remediation through automation and intelligence insights, accelerating the process by 43% and improving patch rates by 90%. Its integration with CMDB and ITSM tools speeds up ticket closures by 60%, effectively reducing the attack surface while freeing IT and security resources. This cloud-based solution bridges the IT-security gap, making it essential for cybersecurity.
Qualys should improve by offering a dedicated testing environment for patches, allowing clients to test patches before deploying them to production. Currently, clients must manage this themselves, creating challenges and difficulties when deploying patches, as a testing environment would simplify the process.
One downside is that I've always wanted a dark mode in Qualys Patch Management. Because Qualys is so bright, if you're working in there for a while, you feel blind after extended time. Having a dark mode would be fantastic.
For Qualys Patch Management, I actually talked with their product manager last week during their conference. Unified QQL needs improvement because while they have QQL in Qualys Patch Management, it doesn't pull in the same tokens as VMDR or CCM, so I can't search by similar things. Also, grouping or foldering for Qualys Patch Management jobs would be beneficial because if different groups own different jobs, it all gets dumped into what is essentially a flat file. You're just scrolling through it. You can search, but if we were able to do foldering, that would be great. The third piece would be having an approved catalog. For example, instead of my IT teams doing the patching, I wanted to enable our internal customers, our app teams, to run the jobs themselves but only on patches that we say are good - a curated catalog that the company patch admin approved.Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.
One downside of Qualys Patch Management is that I would love to see them speed up the process of verifying patches and then rolling them out. I know for zero-days, it takes them 24 hours to screen a patch before they make it available for patching on systems. If they could speed that up to remediate the vulnerability faster, that would be great.
For those patches that I have to download for Patch Management, I would prefer if I could upload them to a repository instead of having to download them every time.
Automated Patch Rollback:Ability to revert patches automatically if they cause issues post-deployment Patch Approval Workflow:Built-in approval chains for patch deployment based on asset criticality or business unit Offline Patch Deployment:Support for patching air-gapped or isolated systems without internet access. Third-Party Application Coverage:Currently limited support for non-Microsoft and niche third-party applications.Expanding this would reduce reliance on manual patching or other tools. Agent Performance Optimization:The Qualys Cloud Agent can be resource-intensive, especially on older or low-spec systems.Improvements in memory and CPU usage would enhance endpoint stability.
Regarding improvements in Qualys Patch Management, I did not quite understand the downsides they were expecting. Initially, I was confused about where to find and how to use the available features. It was challenging to identify the options we could employ and why we were using them. However, once I gained hands-on experience, I was able to identify the tool's particular features, making it easier for us to use it. The initial phase had some difficulty with the user interface. I would them to improve user training. They have used many colors, which can be confusing, so they should use specific colors for specific options. For critical options, they could make them red, green for medium, and blue for less significant options. This would make it easier for a beginner to recognize which buttons are dangerous to click. Such adjustments can help new users learn the solution faster.
I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail. For instance, if I have deployed patches to 100 endpoints, even though the job status says that it is successful, I still have to go deep into endpoints one by one to identify if there are some failures. It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload. For reporting issues, we can check if the findings are addressed in the VMDR, but to verify if the latest patches have been applied on the endpoints or servers, we have to examine scheduled jobs one by one. It would help if error messages were clearer about causes, like endpoints being offline. This improvement would streamline troubleshooting, helping users ensure their PCs are on when deploying patches. Fail status alerts providing specific fail details would facilitate easier checks.
There is room for improvement in the inclusion of more patches. That's the only improvement I would suggest. Not all patches are available on Qualys, so they need to get licenses for other patches as well. That would be more helpful.
I do not have any major problems. I think it's working great. My recommendation would be not just for Patch Management but for Qualys itself. I am using Qualys through a third party or reseller. The issue is that when buying Qualys licenses, from my side, I'm buying for about seven thousand five hundred users or machines. I also need to buy licenses for another seven thousand five hundred for patch management. We dislike having to pay extra. We don't mind paying for additional modules like Certificate View. The test management part requires buying licenses. We are trying to negotiate with our reseller. If they can't provide us, we'll go straight to Qualys and see if they can assist.
I struggled to see patch availability for some applications in the Qualys console, requiring me to use third-party repositories. If repositories could be integrated within the Qualys module, it would simplify the patching process for me. Additionally, there are glitches in the VMDR vulnerability section while querying for particular vulnerabilities. There are unwanted commands in the KQL which sometimes hinder my results. For example, we sometimes could get CVE IDs while running a query, but at other times, we could not.
Some patches require OEM consent or must be released by OEM. For example, if an outdated version of a tool like Falcon is detected, Qualys flags it as a vulnerability, but cannot automate the patch update. We can not simply download and do an upgrade. Improved partnerships with OEMs could resolve this. It works with Windows and Linux, but Mac patch support is not yet available.
Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.
The speed of patch deployment could also be faster in some cases. Additionally, support for macOS and Linux has improved.
They have already covered most of the things. I do not see a lot of opportunities for improvement. It is pretty good. However, it would be good to have more widgets and AI-generated reports. I have not seen anything related to AI with Qualys. It would be beneficial for Qualys to incorporate AI-generated tools for Patch Management and VMDR. This could assist in managing risks, providing AI-generated reports, and creating risk letters for clients, which can streamline communication.
The availability of Qualys Patch Management needs to be improved.
It would be beneficial to have more efficiently scheduled task deployments that are tailored to specific asset types or deployment needs.
They are constantly working on making it better. There is no 100% reliable or working application or software. There are caveats with the network passive sensor when it does not merge or something does not feel right, but whenever I have to report on those things, someone from their support team jumps on and tries to help us, which is why I like it. They should keep it up. They can maybe do check-ins with the customers once a month. All the vendors are doing it nowadays. Qualys can do regular check-ins to go over not only all the vulnerabilities but also the overall process to see if there is anything where we might need improvement. They know about the latest trends, and they have meetings about them. They can relay to us some newer information that we do not know, but they saw in our environment. That would be a nice thing.
I would like a more clear distinction in terms of something I call a patch contract. A patch contract is a bundle of patches that we are going to roll out. I would like to reference those patches from separate jobs. They explained at a conference that it cannot be done, but that is my main complaint. I wish that the whole schema was a little bit clearer because there is a little bit of cloudiness around it. Everything else seems to be fairly straightforward. Additionally, I know there is a cost associated with this, but it would be nice if instead of us having to roll and host our own custom files on AWS or something like that, Qualys could provide some space, even if just a gigabyte or 500 megabytes.
There is room for improvement in the detection logic. It sometimes detects open vulnerabilities that are not truly there, such as orphan files that are not really exploitable. It would be helpful if they were classified as information-only rather than Sev 4 or Sev 5.
The Qualys agent sometimes encounters authorization issues, leading to inaccurate vulnerability reports. Additionally, server updates cause duplicate assets to appear, hindering accurate asset identification.
Qualys could improve its capacity to fix vulnerabilities on VMware and other virtualized environments. The reporting could also be enhanced to make it more user-friendly. It's difficult for beginners to learn.
The Qualys Scanning tool is one of the best tools for scanning purposes, virus detection, and vulnerability detection, whereas Qualys Patch Management is helpful only in a few cases, not in all cases. There are multiple tools for patching, such as SCCM, Intune, or Ivanti. One of the challenges that we have faced with the Patch Management tool is that you cannot patch all the things. There are some limitations, whereas, in SCCM, we can create a package and just deploy that through it. Anything is deployable through SCCM, whereas Patch Management is very selective. They should support more applications. For example, you cannot push a patch on Oracle. There is not much automation. For example, with SCCM, you can push anything, but that is not the case with Qualys. We have faced a few corruptions while patching. Even though a patch is feasible through Qualys Patch Management, when we try to push it to our servers, we face some errors or interruptions. When we push the patch, something gets blocked and the patch fails. Even if the patch is within the directory of Qualys, we cannot push it. There are some errors. The Qualys support team can be more communicative. Just sharing a knowledge-based article does not help all the clients or all people. A knowledge-based article might be useful for a technical person, but it does not help someone who is not very technical. They should have a call-based approach. Even companies like Microsoft provide an option for a call for a support case, which allows you to discuss the issue and troubleshoot it quickly. Qualys should improve their support.
A common area for improvement in Patch Management, both within our environment and others I've encountered, is the lack of built-in driver updates. Ideally, the system would handle updates for network interface cards, video cards, and other components, eliminating the need to rely on manufacturer-specific tools like Dell Update or HP Update. Integrating these patching options would significantly improve the overall functionality. Qualys Patch Management primarily updates operating systems, third-party software including Adobe products and many more, leaving video card drivers and firmware updates to other tools. This focus on core software is understandable, as driver and firmware updates can be more complex. The price has room for improvement.