Qualys Patch Management Reviews

We previously used native patch management tools like SCCM servers for Microsoft, Linux, and Mac OS. However, with the shift to remote work in 2020, we encountered issues pushing patches through these on-premise servers. To address this, we adopted Qualys Patch Management, leveraging their cloud agents that are already in place. This simplified patch deployment, allowing us to push patches directly from the Qualys cloud platform, eliminating the need for on-premise servers and VPN connections, which often caused bandwidth congestion and patch deployment failures. 

Qualys Patch Management only requires an internet connection, significantly improving our patching efficiency and overcoming previous challenges with large patch sizes and network limitations.

Qualys Patch Management employs a risk-based approach to automation, utilizing the TruRisk feature within the Qualys VMDR module. TruRisk assesses the security posture of infrastructure by considering asset criticality and assigning a Qualys detection score to each vulnerability. This combination generates a TruRisk score for each asset, enabling the identification of critical assets such as crown jewels or public-facing systems. By categorizing assets based on criticality, users can prioritize vulnerability remediation directly from the VMDR interface. This prioritization seamlessly integrates with Qualys Patch Management, allowing for efficient patch deployment by clicking the Patch Now option in VMDR.

Qualys Patch Management and VMDR are seamlessly integrated, enabling direct communication between them. Patch Management obtains necessary vulnerability and missing patch data directly from the VMDR interface. Both modules rely on the Qualys Cloud Agent to gather complete vulnerability information from VMDR. This integration allows for direct patch deployment through either VMDR or Patch Management.

The COVID-19 pandemic significantly increased cyberattacks on organizations due to the shift to remote work and the resulting expansion of vulnerable attack surfaces. Employees connecting to company networks from home created security gaps that cybercriminals exploited, particularly with ransomware. To mitigate this, organizations adopted proactive measures like using Qualys Patch Management to quickly deploy patches and updates, addressing vulnerabilities, and protecting against attacks without relying on scheduled downtime.

We use the TruRisk scoring mechanism, which ranges from zero to 1,000, to assess and prioritize vulnerabilities. This score is based on Qualys-defined ranges for severity levels, critical, high, medium, low, and our asset criticality scoring. We categorize assets by creating tags for groups belonging to different organizational entities and assign criticality scores to those tags. By combining the asset criticality score with the Qualys detection score provided on a QID basis for each vulnerability, we calculate the TruRisk score. This allows us to identify the number of assets with critical or high-severity vulnerabilities and prioritize remediation efforts.

We have used Qualys Patch Management for four years, but our organization has used Qualys for over 12 years. In that time, I've also used other leading scanning vendors like Tenable and Rapid7. Compared to those, Qualys more accurately detects vulnerabilities due to its cloud agent. This agent, installed on the end asset, reads complete metadata, including the registry and other areas, to identify vulnerable software versions. For example, if an application vulnerability is identified, we can check the asset's installed programs. Even if the software isn't found there, Qualys provides the path where the vulnerable version is detected, often revealing remnant files. These files, left behind even after uninstallation, can be exploited by attackers. Qualys detects these remnants, ensuring accurate vulnerability identification, even if the software appears to be absent from the endpoint.

Although Qualys may be more expensive than other vulnerability scanning tools, its accuracy and effectiveness justify the cost. While alternatives like Tenable Professional offer unlimited IP scanning at a lower price, Qualys provides superior vulnerability detection. This leads to a good return on investment by minimizing security breaches and associated costs, such as reputational damage and compromised client data. Ultimately, Qualys increases stakeholder confidence by providing a high level of protection against cyberattacks.

We previously used a native patch management solution, which resulted in consistently low patch compliance. Achieving even 80 percent compliance often took an entire month, by which time Microsoft would release new security patches. Despite the challenge of maintaining high patch compliance across our extensive infrastructure, with Qualys Patch Management, we now achieve 75 to 80 percent compliance within the first week and 90 to 95 percent within two weeks of patch release. Consequently, our monthly patch compliance consistently exceeds 95 percent.

We augmented our existing vulnerability management solution by adding Qualys Patch Management. Before 2020, we relied solely on Qualys VMDR and other modules. Subsequently, we transitioned to Qualys Patch Management for most patching tasks, although we still utilize Microsoft Intune and SCCM for Microsoft OS assets. Qualys Patch Management leverages vulnerability feeds from the VMDR module, allowing us to identify vulnerabilities missing Qualys patches. Using Qualys Query Language queries within the Qualys interface, we can pinpoint assets with missing patches by searching for Qualys missing patches. This capability enables us to prioritize vulnerability remediation through Patch Management, supplementing our broader vulnerability management strategy.

Installing patches on end assets requires a reboot to take effect, and without it, vulnerabilities remain. Qualys Patch Management offers a valuable feature that allows for deferred reboots, giving users control while still ensuring eventual patching. This feature provides flexibility and reduces disruption. Additionally, a forced reboot option can be implemented via script to ensure all assets are regularly updated, eliminating the need for user intervention. The interface provides a clear view of patch job statuses, including failures and their reasons. It also displays missing patches by QID, allowing for easy identification and one-click patching. This streamlines the patching process and improves overall efficiency.

Currently, there are limitations in downloading patch jobs to view all associated assets and patch statuses. This issue has been raised with Qualys, who may be working on a feature request to address it. While generally satisfied with the Qualys Patch Management interface, another challenge is that some third-party applications, like Oracle, require a license for redirection to their website and subsequent patch access. This authentication requirement blocks some patches from being pushed through Qualys, leaving them in a locked state. This issue, however, only affects a few applications, as most do not require a license for patch access.

I have used Qualys Patch Management since 2020.

I would rate the stability of Qualys Patch Management nine point five out of ten, with minimal latency or other issues. Any observed latencies typically stem from our internal network rather than the cloud platform.

I would rate the scalability of Qualys Patch Management ten out of ten.

The support is robust and available around the clock. We have been provided with clear escalation points of contact, ensuring timely responses and resolution for any issues.

Positive

Before 2020, Microsoft SCCM and Intune were our primary tools for patching Microsoft assets. However, to improve compliance rates and manage third-party application patches more effectively, we transitioned to Qualys Patch Management.

We easily deployed Qualys Patch Management. Previously, security concerns discouraged cloud-based data storage. However, with robust cloud security controls in place, we confidently utilize this cloud-based module.

Implementation involved our internal IT team, who manage the operations of pushing patches.

The return on investment from Qualys Patch Management is significant because a security breach can severely damage an organization's reputation and lead to loss of business. Therefore, we are completely satisfied with the ROI from our investment in the Qualys Patch Management module.

Pricing for Qualys Patch Management is moderate.

Other solutions evaluated include Tenable and Rapid7, but Qualys Patch Management stood out for its accuracy and detection capabilities.

I would rate Qualys Patch Management eight out of ten.

We investigated integrating Qualys Patch Management with our current configuration management database but found that integration is not supported due to a lack of API access. However, we plan to migrate to ServiceNow soon, allowing us to integrate our CMDB or asset management system with Qualys. This integration will improve visibility by enabling us to identify asset owners and remediate vulnerabilities quickly. We expect to complete this migration within the next few months.

Our clients utilize various off-site data centers with distinct networks, including DMZs and intranets, resulting in multiple operational areas. We possess many assets within these networks, exceeding 300,000, and we rely entirely on Qualys Patch Management for their maintenance. We have around 70 team members that utilize the solution.

Patch Management is entirely maintained by Qualys.

I would definitely recommend Qualys Patch Management. Detecting vulnerabilities alone isn't enough; a robust patch management tool is essential for securing an organization.

Public Cloud

I use Qualys Patch Management as a single platform for patch management. We have Microsoft, Adobe, and various other apps. I create a scheduled task to push all the required patches to the laptops so that they have the latest version of these apps.

We also do compliance checks to ensure that, for example, we have the golden image on our servers and laptops. We use it for scanning to ensure that configurations are correct and based on the CIS guidelines.

All our servers and laptops have the Qualys agent, and we can then push the patches to those devices.

Patch Management offers a patch-based approach to vulnerabilities. It helps us prioritize and schedule critical or high-severity patches to address issues.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

I use Patch Management with Qualys VMDR. After the patches are deployed, I check Qualys VMDR to verify if the issues have been addressed.

The Risk Reduction Recommendation Report is fine. It has some general information. It can give insights to people who are not familiar with the findings. I can generate a report and share it with different IT groups to help them understand the issue and the suggested solution. It can help address 70% to 80% of the issues. The rest of them might require further discussion to come up with a solution.

Patch management significantly helped us track and reduce vulnerabilities. For example, before adopting Qualys Patch Management, we found 10,000 or more vulnerabilities. We have now addressed those, limiting existing vulnerabilities to around hundreds. There is a great improvement.

Patch Management supports various software lists when compared to Microsoft Intune. It is especially beneficial for non-Microsoft applications. I can create a schedule, and various patches can be automatically deployed. There is no need to create a PowerShell script. It helps reduce the manual workload for patch deployment. 

I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail. For instance, if I have deployed patches to 100 endpoints, even though the job status says that it is successful, I still have to go deep into endpoints one by one to identify if there are some failures. It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload. 

For reporting issues, we can check if the findings are addressed in the VMDR, but to verify if the latest patches have been applied on the endpoints or servers, we have to examine scheduled jobs one by one. 

It would help if error messages were clearer about causes, like endpoints being offline. This improvement would streamline troubleshooting, helping users ensure their PCs are on when deploying patches. Fail status alerts providing specific fail details would facilitate easier checks.

I have been using Qualys Patch Management for at least two years.

It is highly stable. I would rate it an eight out of ten for stability.

We are utilizing it fully. It serves our needs.

We get the first response to a question within two days, but when we have follow-up questions, they take longer, and the case may get dragged a little bit. It is not fit for us sometimes.

Neutral

Intune is a comparison point, but previously, we had Ivanti Patch Management. Qualys Patch Management is much better, considering the number of issues we could address with it.

The initial setup was quite a normal process. We needed to install the appliance and establish firewall rules to allow traffic with different software. For the endpoint part, Qualys agents were installed on the machines. We had no serious challenges deploying to most endpoints or configuring the firewall.

I am currently conducting a patch management review and evaluating new features or products, and Qualys Patch Management still meets our requirements.

I would rate Qualys Patch Management an eight out of ten. 

We do it for our OS patching across multiple clouds. If we don't put GE Vernova on there, then I can say we use it for AWS and Azure, plus on-prem. It's used across OS platforms too, so Windows and Linux-based. Our OS team uses it monthly to patch, and then we also supplement third-party software, such as Chrome, Edge, Notepad++, Wireshark, and all that software that people will install and forget to uninstall and forget that they have to patch it. We do that almost weekly as well.

My favorite feature is reoccurring jobs. We had some requirements where we needed some options added to do reoccurring jobs, and they were able to add that in. Now we mostly use reoccurring jobs, and we don't have to touch them. The hardest part now is just getting change controls through our change management team instead of actually creating the jobs.

It has simplified so much from a cost overhead and perspective.

For Qualys Patch Management, I actually talked with their product manager last week during their conference. Unified QQL needs improvement because while they have QQL in Qualys Patch Management, it doesn't pull in the same tokens as VMDR or CCM, so I can't search by similar things. Also, grouping or foldering for Qualys Patch Management jobs would be beneficial because if different groups own different jobs, it all gets dumped into what is essentially a flat file. You're just scrolling through it. You can search, but if we were able to do foldering, that would be great. The third piece would be having an approved catalog. For example, instead of my IT teams doing the patching, I wanted to enable our internal customers, our app teams, to run the jobs themselves but only on patches that we say are good - a curated catalog that the company patch admin approved.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

We've been using it since April of last year, so April of '24, which is approximately 18 months.

There are times where Qualys sometimes delays or doesn't have the catalog updated. For example, Red Hat comes out with an update and a week later, it wasn't in the Qualys catalog, which causes us to scramble.

On our pod, we don't experience issues. One of my colleagues on a different pod has issues there. I'm on their biggest pod that brings in the most revenue, so they're very cautious with what they do on that.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

Neutral

We used WSUS and custom scripts for Linux before. On-prem, we used SSM for AWS and Patch Management for Azure. It was complicated because there were so many different moving parts. That's where Qualys Patch Management comes in and is able to work across all platforms. It's easy because you don't have to manage all kinds of different things for every cloud. Your agent's already on the box because we have a rule that every server has to have an agent on it.

The setup was actually easy. We already had VMDR deployed and agents everywhere, so it was a couple clicks to enable it.

The implementation took approximately a month, though some of that was due to our delay. We had one to two people involved, and part of the timeline was due to our internal processes, not Qualys Patch Management.

You can always drive pricing down, but I think it's reasonable. For what we get out of it, I think it's a reasonable investment.

I think that's where we have to go as an industry because you can't address everything all the time. Adding the risk on top, if it's an external asset compared to something internal inside your vault, the risk is much greater for exfiltration of data. The risk-based approach absolutely is the right way to go about it.

I rate Qualys Patch Management a nine out of ten.

Hybrid Cloud

Other

We are in the education industry, and we perform weekly scans. On weekends, we scan our entire management, servers, and expectations. Then on Monday, I set up some weekly reports. From these, I'll have my vulnerabilities and Patch management reports showing which third-party applications I installed on users' workstations. I tested these on a Monday or Tuesday with Patch Management. If all goes well, by Wednesday or Thursday, I'm patching the rest of the environment. In terms of workstations, I scan and patch them weekly, but for servers, I wait for the Microsoft patching cycle. Only then do we patch the servers, allowing for a restart for each update. After the Microsoft updates, we can restart our servers.

The auto patch is useful. On zero-day vulnerabilities or patches, we can automatically apply those without user interference. We can drastically decrease vulnerabilities, especially third-party ones, such as a Java update that usually takes time to test on different machines. With Patch Management, machines can be grouped into test workstations, and a fix can be deployed and monitored for a day or two. If nothing goes wrong, it is deployed to all users. In Koketso Towers, you will notice about one thousand or five thousand mortgages decrease. This has helped us keep up with vulnerabilities, especially on workstations. Test management is a module added to the vulnerability management scanner, which also has the auto-fix feature. We don't usually use this on servers but on workstations. For instance, if there's a vulnerability that is not a zero-day, but something else, we can test and deploy it almost immediately from the workstation.

I do not have any major problems. I think it's working great. My recommendation would be not just for Patch Management but for Qualys itself. I am using Qualys through a third party or reseller. The issue is that when buying Qualys licenses, from my side, I'm buying for about seven thousand five hundred users or machines. I also need to buy licenses for another seven thousand five hundred for patch management. We dislike having to pay extra. We don't mind paying for additional modules like Certificate View. The test management part requires buying licenses. We are trying to negotiate with our reseller. If they can't provide us, we'll go straight to Qualys and see if they can assist.

I have been using Patch Management for about six months now.

The solution is very stable. I have encountered no problems so far.

We don't interact much since our service is managed. We only contact Qualys if there are serious issues. Last year, we communicated with Qualys two times when our service provider couldn't assist us in resolving one vulnerability.

Positive

We started before moving to VMDR. We used a previous version called Qualys VM, and now it's Qualys VMDR. With Qualys VM, we had access to the console.

The setup was straightforward. We began by installing the scanner, scanning the entire environment, and then categorizing items as servers, workstations, etc., applying tags accordingly. It took us about two weeks to have it fully operational with both daily and monthly reports set up. The deployment is easy through SCCM from Microsoft, as we deploy based on our AD groups.

I would give it a ten out of ten. It is an excellent module to have within the environment, as most environments have Windows Patch cycles, but not for third-party applications. Patch Management not only addresses third-party applications but can also patch vulnerabilities. It allows seamless deployment from the console if a patch for a vulnerability is available. I would rate the overall solution a 10 out of 10.

Hybrid Cloud

Other

I have been working with Qualys Patch Management specifically for about two years. I started with Qualys VMDR, the asset management, the web application scanning platform, and then when we began patching as well, I started using the patch management suite.

In this current field, I have been working for a little over two years. Previously, I worked directly in vulnerability management with Qualys as the main engine behind the service.

Currently, I work as a distributor. We use Qualys Patch Management from the distributor's point of view and we get to see patch management in action or get to ensure patch management is deployed properly for a lot of different clients. We get to see different use cases. Most clients at first approach just want to see a view of all their patches and to be able to see all the endpoints that need patching.

Qualys Patch Management does a lot in terms of supporting patches for Windows products and has a robust patch management suite for Linux. The integration with the VMDR platform, asset management platform, web application scanning platform, and having it all in one platform is world-class.

The patch management suite allows a correlation between vulnerabilities and patches, enabling the prioritization of patch deployment. Clients use it primarily to patch endpoints and it is especially beneficial for less critical patches as it can automatically deploy them. The QGS server integrates well with the patch management engine.

Getting support from the vendor regarding custom things around patch management could be improved. The turnaround for support is a bit slow, especially when trying to deploy patches that are not accepted by certain devices, leading to delays in addressing urgent customer issues.

There is also potential improvement needed on the reporting side. While default reports and recommendation reports are available, further enhancements could be made.

Occasionally, there is downtime when accessing the cloud platform, though it is rare.

Sometimes, there are issues with patches not being deployed to certain devices or devices not accepting patches. This results in clients raising support tickets, but resolving these takes a while due to the interaction between the vendor, distributor, and customer.

Qualys Patch Management is scalable and handles from 10 IP networks to 20,000 IP networks. It supports cloud-based deployments, allowing scans to be run directly from the cloud without using extensive internal resources.

It can scale to manage large numbers of endpoints, deploying scanners at different branches to communicate back to the main cloud platform for easier management.

The main issue with customer service is the time it takes to resolve support queries. However, once help is provided, I receive good support, sometimes with calls to assist with technical support queries. Over time, relationships can be built with specific support personnel.

I have used similar products like Microsoft Intune and FortiGate, which has a patching type of solution within its FortiClient. I also work with Ivanti for patching endpoints.

Deploying Qualys Patch Management is straightforward, well-documented, and involves running the agent on endpoints or deploying it via group policy. Scanner deployment only requires inputting the IP and Qualys code, connecting directly to the cloud.

I resell Qualys Patch Management. Other IT providers with clients requiring vulnerability management come to me to purchase the solution since I am a main distributor in the SADC region.

Pricing is standard across international markets, comparable with FortiGate and Palo Altos. It is fair given Qualys' unique risk-based approach, but in regions like South Africa, costs can be high due to the USD pricing, amounting to a significant portion of a standard employee's salary.

I have not interacted much with the reporting aspect of patch management due to moving away from hands-on technical work to pre-sales roles. Integrating with ServiceNow allows assigning and tracking vulnerabilities to specific users or departments. My overall rating for this product is 8 out of 10.

Public Cloud

Other

We primarily use Qualys Patch Management for deploying Microsoft's monthly security updates, released every second Tuesday. To mitigate vulnerabilities, we promptly create patch jobs for all endpoints and servers upon release and inform stakeholders of the urgent need for deployment. We adhere to strict SLAs, ensuring the entire patch cycle is completed within one to two weeks.

We implemented Qualys Patch Management to efficiently patch our endpoints, and servers.

Qualys' risk-based approach to automation is helpful for addressing vulnerabilities. We utilize TruRisk management for a comprehensive risk overview, employing a tag-based system to assign criticality scores. This allows us to prioritize patching through Qualys Vulnerability Management, Detection, and Response based on the severity of risks.

The integration of Qualys Patch Management and VMDR is critical for automating the deployment of relevant patches and configurations to remediate vulnerabilities. Within our organization's 343,000 assets, multiple entities and tags allow us to leverage VMDR to identify critical vulnerabilities and prioritize patching for high-value machines. This integration enables us to proactively push patches to all server and endpoint agents, effectively mitigating vulnerabilities.

The implementation of Qualys Patch Management has resulted in the remediation of nearly 25 million vulnerabilities within our organization, significantly reducing our overall vulnerability count.

TruRisk automation allows us to address vulnerabilities without involving our security team, as we can directly assess their criticality levels.

Qualys Patch Management provides a single source of truth for managing assets and vulnerabilities, enabling assessment, prioritization, and remediation. Its comprehensive view of each asset streamlines collaboration between security and IT teams, facilitating efficient vulnerability management.

The single source of truth helped reduce costs by 95 percent.

We have improved our patch rate to over 86 percent by implementing Qualys Patch Management. Previously, patches were managed through both Microsoft Intune and SCCM, which proved less effective.

The risk reduction report allows us to split the remediation based on criticality.

The risk reduction report provides recommendations on how to remediate vulnerabilities. Once a fix is available, the corresponding patch can be deployed to all assets based on the associated CVE identifier.

Qualys Patch Management has reduced our organizational risk by 99.9 percent.

Qualys Patch Management offers excellent features, most notably the Qualys Gateway Service, which caches patches and distributes them to agents, minimizing bandwidth consumption. The platform provides comprehensive visibility into patch status across endpoints and servers, supporting Linux and macOS in addition to Windows. Qualys has been instrumental in our vulnerability remediation efforts, enabling us to address nearly 25 million vulnerabilities.

One area for improvement in Qualys Patch Management is knowing whether patches have been completely downloaded in a particular QGS appliance. If a platform owner could verify that patches are downloaded on the appliance side, it would be possible to push them through to all agents confidently.

I have been using the Patch Management solution for more than four years.

We did not encounter any significant stability issues. Control level issues can arise, but these can be addressed through support cases.

I rate the scalability of Qualys Patch Management ten out of ten.

I am completely satisfied with Qualys' customer service.

Positive

We are using SCCM and Intune, but they are not able to achieve the same Qualys patch percentages.

The initial setup was straightforward. Since Patch Management is not a separate module, it is integrated with the overall Qualys deployment, allowing us to enable licenses for VMDR and PM automatically.

To deploy on one machine it takes ten minutes.

To begin, we'll deploy the Qualys agent using an external tool on a separate system. Once the agent appears in the Qualys console, we can proceed by differentiating tags, assigning activation keys, verifying reported machines, and creating multiple vulnerability-based jobs.

We have achieved significant time savings of 90 percent, primarily due to comprehensive oversight and visibility of security issues. This streamlined approach reduces time spent addressing vulnerabilities and ensures efficient mitigation of any threats. Consequently, our robust security posture remains uncompromised, yielding substantial benefits.

Qualys Patch Management is a cost-effective solution for managing our 43,000-plus assets. Its efficiency and effectiveness in vulnerability remediation justify the associated expenses.

I would rate Qualys Patch Management ten out of ten.

To enhance visibility, we will utilize the TruRisk features more effectively in the future.

Our organization has 342,000 assets and over 150 people with access to Qualys, which is deployed across the entire organization.

No maintenance is required from our end.

I recommend Qualys Patch Management due to its comprehensive features. It saves time and provides significant tools for identifying vulnerabilities, pushing patches, and providing pre and post-action capabilities. Virtual patching is available to mitigate many vulnerabilities.

Public Cloud

Other

My use cases for Qualys Patch Management are primarily for Windows workstations.

My favorite feature of Qualys Patch Management is being able to go from detection to patching in a single platform.

Qualys Patch Management helps me remediate vulnerabilities without needing to involve the security team because I am the security team. It helps me get context of what's going on.

One downside is that I've always wanted a dark mode in Qualys Patch Management. Because Qualys is so bright, if you're working in there for a while, you feel blind after extended time. Having a dark mode would be fantastic.

I have been using Qualys Patch Management since the end of 2023.

I find the stability of Qualys Patch Management to be inconsistent; sometimes it works fine, while other times when I try to show a colleague something quickly, it takes considerable time to respond.

The scalability of Qualys Patch Management seems good.

I contact their technical support or customer support frequently.

The quality and speed of their support could be better.

I would rate their support a five out of ten.

Neutral

The initial deployment of Qualys Patch Management is difficult.

I wasn't involved with the company during the initial deployment, which occurred approximately ten years ago. However, newer modules and connector configurations always seem more difficult than they should be.

Regarding pricing for Qualys Patch Management, if you can get a good deal, the value is there. It's on the pricier side, but it provides value if you can utilize it effectively.

I have used alternatives such as Tenable.

I prefer Qualys over Tenable.

The biggest difference between Qualys and Tenable is reporting, as the quality of reports from Qualys is much better received than those from Tenable.

I use Qualys Patch Management with VMDR.

This integration with VMDR is important for me.

Qualys Patch Management gives me a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

I use the Risk Reduction Recommendation report in Qualys Patch Management.

The Risk Reduction Recommendation report is helpful.

Qualys Patch Management helps me streamline remediation and gives me a good starting point.

If the risk-based approach to automation is set up correctly, it performs excellently.

For newer deployments of Qualys Patch Management, typically one person handles the implementation.

I maintain Qualys Patch Management consistently, so it requires minimal effort on my end.

My advice for new users of Qualys Patch Management is to spend time at the training center. A streamlined initial video guide would be beneficial.

I rate Qualys Patch Management an eight out of ten overall.

We use Qualys Patch Management for patching Windows updates, deploying third-party and Microsoft patches, and other application updates to manage vulnerabilities and respond to threats.

If new vulnerabilities are found in the environment, we deploy patches or find solutions to remediate the problems. We implemented Qualys Patch Management for this purpose.

To enhance vulnerability management by upgrading or updating applications, we've implemented a recurring job in Qualys Patch Management. This job automatically scans for missing updates on a daily or weekly basis, ensuring all applications remain current. This automated process streamlines patch management and strengthens our overall security posture.

We use Patch Management with Qualys VMDR and find its integration capabilities helpful. This tool automatically identifies vulnerabilities and provides the necessary patches, configuration changes, or updates for remediation. Previously, we needed separate tools for vulnerability scanning, solution finding, and implementation. Qualys streamlines this process by not only identifying vulnerabilities but also recommending and implementing solutions, including patches, updates, and configuration changes, effectively helping us remediate vulnerabilities in our environment.

The machines connected to the environment and reporting to Qualys have a better patching system. It continuously monitors for missing updates daily through scheduled tasks. If any are found, they are automatically installed. This ongoing monitoring and automatic installation is an excellent benefit of Qualys Patch Management.

TruRisk automation allows us to address vulnerabilities without direct involvement from our security team. When we first implemented Qualys, we had a backlog of approximately 130,000 vulnerabilities, some dating back six months or more. By utilizing Qualys as a remediation tool to track, address, and resolve these vulnerabilities, we have successfully reduced the number to 15,000.

Qualys Patch Management provides a centralized platform to identify, prioritize, and address vulnerabilities across our assets. It uses a severity scoring system ranging from one to five, allowing us to assess and prioritize vulnerabilities accordingly.

Before using Qualys, we used SCCM, which gave us good results with over 95 percent compliance. Qualys achieves similar compliance rates if we maintain regular monthly patching. While the compliance numbers haven't changed significantly, Qualys offers greater automation, eliminating the need for manual checks on individual machines. This automation is a significant advantage over our previous system.

We are using Qualys Patch Management in parallel with our Vulnerability Management solution.

Qualys Patch Management has reduced our organization's risk by almost 90 percent.

Qualys Patch Management's most valuable feature is its responsiveness. Unlike other products that require waiting for a scheduled update cycle, Qualys allows for immediate deployment of patches and updates. This ensures vulnerabilities are addressed quickly, minimizing security risks.

Qualys Patch Management needs improvement in customer support and certain feature enhancements. Although we receive support from Qualys, we often find that we must identify solutions independently. Additionally, features could be refined or expanded, as we've already submitted several requests to improve functionality. 

There is a limitation where Qualys may not always offer solutions for remediation, particularly for end-of-life or end-of-service applications. In these cases, we must seek solutions from alternative sources like Microsoft or the product vendor.

I have been using Qualys Patch Management for almost one and a half years.

Qualys Patch Management is relatively stable. There might be occasional implementation errors where tasks overlap, but overall, it is reliable, and I would rate the stability eight out of ten.

The scalability of Qualys Patch Management is good, allowing it to handle a large number of devices and updates efficiently. I would rate the scalability eight out of ten.

Customer support for Qualys Patch Management is lacking. The support cases we've raised often resulted in us finding the solution independently. Improvement in response time and solution accuracy is needed.

Neutral

Before using Qualys, I used Rapid7 for vulnerability detection. However, Qualys Patch Management is superior because it provides both vulnerability detection and remediation within a single tool.

I would rate Qualys Patch Management a six out of ten. Qualys Patch Management is a good tool, but we've encountered some issues during implementation. Occasionally, patches fail to deploy to target machines. Additionally, when multiple jobs run concurrently, subsequent jobs become blocked until the initial job is completed.

We are a global organization with locations in multiple regions. We have around 20,000 employees that use Qualys Patch Management in our organization with 5,000 in our area.

As of now, no maintenance has been required.

I would recommend Qualys Patch Management, but it is crucial to understand its features and limitations thoroughly. Expect some learning curve and utilize its automation capabilities to avoid manual interventions. 

Public Cloud