Qualys Patch Management Reviews

We do it for our OS patching across multiple clouds. If we don't put GE Vernova on there, then I can say we use it for AWS and Azure, plus on-prem. It's used across OS platforms too, so Windows and Linux-based. Our OS team uses it monthly to patch, and then we also supplement third-party software, such as Chrome, Edge, Notepad++, Wireshark, and all that software that people will install and forget to uninstall and forget that they have to patch it. We do that almost weekly as well.

My favorite feature is reoccurring jobs. We had some requirements where we needed some options added to do reoccurring jobs, and they were able to add that in. Now we mostly use reoccurring jobs, and we don't have to touch them. The hardest part now is just getting change controls through our change management team instead of actually creating the jobs.

It has simplified so much from a cost overhead and perspective.

For Qualys Patch Management, I actually talked with their product manager last week during their conference. Unified QQL needs improvement because while they have QQL in Qualys Patch Management, it doesn't pull in the same tokens as VMDR or CCM, so I can't search by similar things. Also, grouping or foldering for Qualys Patch Management jobs would be beneficial because if different groups own different jobs, it all gets dumped into what is essentially a flat file. You're just scrolling through it. You can search, but if we were able to do foldering, that would be great. The third piece would be having an approved catalog. For example, instead of my IT teams doing the patching, I wanted to enable our internal customers, our app teams, to run the jobs themselves but only on patches that we say are good - a curated catalog that the company patch admin approved.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

We've been using it since April of last year, so April of '24, which is approximately 18 months.

There are times where Qualys sometimes delays or doesn't have the catalog updated. For example, Red Hat comes out with an update and a week later, it wasn't in the Qualys catalog, which causes us to scramble.

On our pod, we don't experience issues. One of my colleagues on a different pod has issues there. I'm on their biggest pod that brings in the most revenue, so they're very cautious with what they do on that.

Their frontline support could be improved. I'm really close with Qualys and spoke at the conference last week. They already know all this. They know that their support could be better. They just need to get more knowledgeable and not necessarily seem to have to pass the buck to engineering or VulnSig or the product teams.

We used WSUS and custom scripts for Linux before. On-prem, we used SSM for AWS and Patch Management for Azure. It was complicated because there were so many different moving parts. That's where Qualys Patch Management comes in and is able to work across all platforms. It's easy because you don't have to manage all kinds of different things for every cloud. Your agent's already on the box because we have a rule that every server has to have an agent on it.

The setup was actually easy. We already had VMDR deployed and agents everywhere, so it was a couple clicks to enable it.

The implementation took approximately a month, though some of that was due to our delay. We had one to two people involved, and part of the timeline was due to our internal processes, not Qualys Patch Management.

You can always drive pricing down, but I think it's reasonable. For what we get out of it, I think it's a reasonable investment.

I think that's where we have to go as an industry because you can't address everything all the time. Adding the risk on top, if it's an external asset compared to something internal inside your vault, the risk is much greater for exfiltration of data. The risk-based approach absolutely is the right way to go about it.

I rate Qualys Patch Management a nine out of ten.

Hybrid Cloud

I have been working with Qualys Patch Management specifically for about two years. I started with Qualys VMDR, the asset management, the web application scanning platform, and then when we began patching as well, I started using the patch management suite.

In this current field, I have been working for a little over two years. Previously, I worked directly in vulnerability management with Qualys as the main engine behind the service.

Currently, I work as a distributor. We use Qualys Patch Management from the distributor's point of view and we get to see patch management in action or get to ensure patch management is deployed properly for a lot of different clients. We get to see different use cases. Most clients at first approach just want to see a view of all their patches and to be able to see all the endpoints that need patching.

Qualys Patch Management does a lot in terms of supporting patches for Windows products and has a robust patch management suite for Linux. The integration with the VMDR platform, asset management platform, web application scanning platform, and having it all in one platform is world-class.

The patch management suite allows a correlation between vulnerabilities and patches, enabling the prioritization of patch deployment. Clients use it primarily to patch endpoints and it is especially beneficial for less critical patches as it can automatically deploy them. The QGS server integrates well with the patch management engine.

Getting support from the vendor regarding custom things around patch management could be improved. The turnaround for support is a bit slow, especially when trying to deploy patches that are not accepted by certain devices, leading to delays in addressing urgent customer issues.

There is also potential improvement needed on the reporting side. While default reports and recommendation reports are available, further enhancements could be made.

Occasionally, there is downtime when accessing the cloud platform, though it is rare.

Sometimes, there are issues with patches not being deployed to certain devices or devices not accepting patches. This results in clients raising support tickets, but resolving these takes a while due to the interaction between the vendor, distributor, and customer.

Qualys Patch Management is scalable and handles from 10 IP networks to 20,000 IP networks. It supports cloud-based deployments, allowing scans to be run directly from the cloud without using extensive internal resources.

It can scale to manage large numbers of endpoints, deploying scanners at different branches to communicate back to the main cloud platform for easier management.

The main issue with customer service is the time it takes to resolve support queries. However, once help is provided, I receive good support, sometimes with calls to assist with technical support queries. Over time, relationships can be built with specific support personnel.

I have used similar products like Microsoft Intune and FortiGate, which has a patching type of solution within its FortiClient. I also work with Ivanti for patching endpoints.

Deploying Qualys Patch Management is straightforward, well-documented, and involves running the agent on endpoints or deploying it via group policy. Scanner deployment only requires inputting the IP and Qualys code, connecting directly to the cloud.

I resell Qualys Patch Management. Other IT providers with clients requiring vulnerability management come to me to purchase the solution since I am a main distributor in the SADC region.

Pricing is standard across international markets, comparable with FortiGate and Palo Altos. It is fair given Qualys' unique risk-based approach, but in regions like South Africa, costs can be high due to the USD pricing, amounting to a significant portion of a standard employee's salary.

I have not interacted much with the reporting aspect of patch management due to moving away from hands-on technical work to pre-sales roles. Integrating with ServiceNow allows assigning and tracking vulnerabilities to specific users or departments. My overall rating for this product is 8 out of 10.

Public Cloud

Other

My use cases for Qualys Patch Management are primarily for Windows workstations.

My favorite feature of Qualys Patch Management is being able to go from detection to patching in a single platform.

Qualys Patch Management helps me remediate vulnerabilities without needing to involve the security team because I am the security team. It helps me get context of what's going on.

One downside is that I've always wanted a dark mode in Qualys Patch Management. Because Qualys is so bright, if you're working in there for a while, you feel blind after extended time. Having a dark mode would be fantastic.

I have been using Qualys Patch Management since the end of 2023.

I find the stability of Qualys Patch Management to be inconsistent; sometimes it works fine, while other times when I try to show a colleague something quickly, it takes considerable time to respond.

The scalability of Qualys Patch Management seems good.

I contact their technical support or customer support frequently.

The quality and speed of their support could be better.

I would rate their support a five out of ten.

Neutral

The initial deployment of Qualys Patch Management is difficult.

I wasn't involved with the company during the initial deployment, which occurred approximately ten years ago. However, newer modules and connector configurations always seem more difficult than they should be.

Regarding pricing for Qualys Patch Management, if you can get a good deal, the value is there. It's on the pricier side, but it provides value if you can utilize it effectively.

I have used alternatives such as Tenable.

I prefer Qualys over Tenable.

The biggest difference between Qualys and Tenable is reporting, as the quality of reports from Qualys is much better received than those from Tenable.

I use Qualys Patch Management with VMDR.

This integration with VMDR is important for me.

Qualys Patch Management gives me a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

I use the Risk Reduction Recommendation report in Qualys Patch Management.

The Risk Reduction Recommendation report is helpful.

Qualys Patch Management helps me streamline remediation and gives me a good starting point.

If the risk-based approach to automation is set up correctly, it performs excellently.

For newer deployments of Qualys Patch Management, typically one person handles the implementation.

I maintain Qualys Patch Management consistently, so it requires minimal effort on my end.

My advice for new users of Qualys Patch Management is to spend time at the training center. A streamlined initial video guide would be beneficial.

I rate Qualys Patch Management an eight out of ten overall.

We use Qualys Patch Management for patching Windows updates, deploying third-party and Microsoft patches, and other application updates to manage vulnerabilities and respond to threats.

If new vulnerabilities are found in the environment, we deploy patches or find solutions to remediate the problems. We implemented Qualys Patch Management for this purpose.

To enhance vulnerability management by upgrading or updating applications, we've implemented a recurring job in Qualys Patch Management. This job automatically scans for missing updates on a daily or weekly basis, ensuring all applications remain current. This automated process streamlines patch management and strengthens our overall security posture.

We use Patch Management with Qualys VMDR and find its integration capabilities helpful. This tool automatically identifies vulnerabilities and provides the necessary patches, configuration changes, or updates for remediation. Previously, we needed separate tools for vulnerability scanning, solution finding, and implementation. Qualys streamlines this process by not only identifying vulnerabilities but also recommending and implementing solutions, including patches, updates, and configuration changes, effectively helping us remediate vulnerabilities in our environment.

The machines connected to the environment and reporting to Qualys have a better patching system. It continuously monitors for missing updates daily through scheduled tasks. If any are found, they are automatically installed. This ongoing monitoring and automatic installation is an excellent benefit of Qualys Patch Management.

TruRisk automation allows us to address vulnerabilities without direct involvement from our security team. When we first implemented Qualys, we had a backlog of approximately 130,000 vulnerabilities, some dating back six months or more. By utilizing Qualys as a remediation tool to track, address, and resolve these vulnerabilities, we have successfully reduced the number to 15,000.

Qualys Patch Management provides a centralized platform to identify, prioritize, and address vulnerabilities across our assets. It uses a severity scoring system ranging from one to five, allowing us to assess and prioritize vulnerabilities accordingly.

Before using Qualys, we used SCCM, which gave us good results with over 95 percent compliance. Qualys achieves similar compliance rates if we maintain regular monthly patching. While the compliance numbers haven't changed significantly, Qualys offers greater automation, eliminating the need for manual checks on individual machines. This automation is a significant advantage over our previous system.

We are using Qualys Patch Management in parallel with our Vulnerability Management solution.

Qualys Patch Management has reduced our organization's risk by almost 90 percent.

Qualys Patch Management's most valuable feature is its responsiveness. Unlike other products that require waiting for a scheduled update cycle, Qualys allows for immediate deployment of patches and updates. This ensures vulnerabilities are addressed quickly, minimizing security risks.

Qualys Patch Management needs improvement in customer support and certain feature enhancements. Although we receive support from Qualys, we often find that we must identify solutions independently. Additionally, features could be refined or expanded, as we've already submitted several requests to improve functionality. 

There is a limitation where Qualys may not always offer solutions for remediation, particularly for end-of-life or end-of-service applications. In these cases, we must seek solutions from alternative sources like Microsoft or the product vendor.

I have been using Qualys Patch Management for almost one and a half years.

Qualys Patch Management is relatively stable. There might be occasional implementation errors where tasks overlap, but overall, it is reliable, and I would rate the stability eight out of ten.

The scalability of Qualys Patch Management is good, allowing it to handle a large number of devices and updates efficiently. I would rate the scalability eight out of ten.

Customer support for Qualys Patch Management is lacking. The support cases we've raised often resulted in us finding the solution independently. Improvement in response time and solution accuracy is needed.

Neutral

Before using Qualys, I used Rapid7 for vulnerability detection. However, Qualys Patch Management is superior because it provides both vulnerability detection and remediation within a single tool.

I would rate Qualys Patch Management a six out of ten. Qualys Patch Management is a good tool, but we've encountered some issues during implementation. Occasionally, patches fail to deploy to target machines. Additionally, when multiple jobs run concurrently, subsequent jobs become blocked until the initial job is completed.

We are a global organization with locations in multiple regions. We have around 20,000 employees that use Qualys Patch Management in our organization with 5,000 in our area.

As of now, no maintenance has been required.

I would recommend Qualys Patch Management, but it is crucial to understand its features and limitations thoroughly. Expect some learning curve and utilize its automation capabilities to avoid manual interventions. 

Public Cloud

Our primary use case for Qualys Patch Management is vulnerability remediation and running scripts. It helps us detect vulnerabilities in our environment and identify specific patches that are required. If we want to mitigate any vulnerabilities, we can run scripts. It is utilized on a very large scale in our organization.

Before Qualys Patch Management, the challenge that we faced was that we were able to detect the vulnerabilities using Qualys VMDR, but mitigation was not easy. Qualys Patch Management helped us to identify which specific patch is required and which patch is missing from our environment. Most of the time, we considered the most suited patches to make sure that all the vulnerabilities get remediated but that was not always the case. We also wanted to see the old patches that were missing. Qualys Patch Management helped us there.

Qualys Patch Management helped us to automate processes. We did not have to do anything manually. All we had to do was write a particular query command, and based on that, we could time or schedule our patches. If a patch is not properly installed or is crashing on the system, there is the ability to roll back that particular patch. We can see what caused the problem and fix the issue.

We have an improved vulnerability detection rate, and the remediation timelines have been reduced significantly. Earlier, if 100 vulnerabilities were detected, only 50 might be closed after several months. Now, with Qualys Patch Management, the number of vulnerabilities can drop from 100 to 20 in less than a month.

We have information about the severity of the vulnerability. QDS also gives us a score of the vulnerability severity. Accordingly, we also have the categorization of our assets. Qualys VMDR creates the scoring of the assets for us. It tells us what is the asset criticality and the risk score of the asset. Based on that entire calculation, it helps determine which asset to prioritize and fix. It helps us identify what needs to be prioritized.

We use Qualys VMDR with Qualys Patch Management. It is a combined package. Qualys VMDR helps with detection. The data about the vulnerabilities detected by the agents and the scanners is being fed into the Patch Management model which helps to know how to mitigate them. This integration saves a lot of time and makes business operations easy. As soon as we perform a scan, the data gets populated in the Patch Management module. We can see all the data in the Patch Management module. By entering the asset name or the IP address of the host, we can see all the information already over there. We do not have to sync anything or have to pull anything separately using the APIs.

Qualys Patch Management has removed the requirement of approval from the security team for patches because the patches recommended by Qualys are required from the security standpoint itself. They are not showing any patches for functionality improvement or something like that. That is why the security team's intervention is not required anymore. The patching team can schedule and deploy patches.

We now have a single source of truth. Previously, everyone was relying on their own inventory or reports, so the chances of errors were pretty high because there could be data mismatch. Now that we have a single source of truth, there is less chance of errors. All the teams are seeing the same data.

Qualys Patch Management has not reduced a lot of costs. There is about a 15% reduction. It has improved our patch rate by about 60% over the last one to two years.

We have integration with ServiceNow for ticket management. As soon as the patches have been deployed, tickets are getting resolved. When the rescans happen, there is again a revalidation of whether the vulnerabilities have been closed or not. The process of resolving or closing the tickets is 40% to 50% faster than before.

Qualys Patch Management has reduced our organization's risk by 40% to 50%. 

Qualys Patch Management automates patch deployment for hundreds or thousands of our assets, reducing our reliance on the IT team to perform these tasks manually. It is able to fix most of our vulnerabilities. The count is reducing significantly. We do not have to rely on our IT team to manually log in to systems or deploy using the AD group. We can just put in a command and schedule the patches for our hundreds or thousands of assets. The vulnerability count has reduced significantly.

Secondly, it helps us not just deploy a patch, it also helps us to install a particular software if it is required from an IT standpoint. Tomorrow, if the organization has a requirement for certain software to be installed on a device, Qualys Patch Management has that capability as well. It can install that software on the machine irrespective of whether it is a security tool or some other tool. We can just put in the URL or source path of it, and it will install that software.

The last one is the registry remediation. It is not just limited to patch management or patch deployment. We can also create a script to fix a particular vulnerability that cannot be fixed through patch deployment. It might require logging into the system, opening the registry keys, and editing some values to it. We can create a script for that.

Some patches require OEM consent or must be released by OEM. For example, if an outdated version of a tool like Falcon is detected, Qualys flags it as a vulnerability, but cannot automate the patch update. We can not simply download and do an upgrade. Improved partnerships with OEMs could resolve this.

It works with Windows and Linux, but Mac patch support is not yet available.

We have been using Qualys Patch Management for approximately five years. We were given a subscription to Patch Management along with the VMDR module.

I would rate the stability of the solution a ten out of ten. It is a stable solution.

So far, Qualys Patch Management fits our company requirements. However, Mac patch support is not available, which could be improved. Overall, I would give it a nine out of ten.

Our organization has a global presence. We have offices in Asia, Europe, and America. The Patch Management solution is being used by 30 to 40 teams. We have the infra team, the security team, and the managers keeping track of what is going on and whether everything is on track.

Whenever we raise a ticket, Qualys has a quick response time of 48 hours. They provide the necessary resolution once all information is shared. I would rate their support a nine out of ten.

Before using Qualys Patch Management, my team used SCCM. However, there were challenges. It did not detect required security patches effectively and had limitations on asset detection. The number of vulnerabilities was still pretty high even after deploying the patches.

There were also limitations in terms of asset detection. Certain types of assets did not work with SCCM. Qualys provides better asset detection.

Qualys Patch Management works with Windows and Linux. We do not have to use different tools. 

The setup was straightforward and quick. We just had to connect with a Qualys partner. They set up the cloud environment for us and gave us the URL and the credentials.

As soon as the contract application was done, it took about a week to get the cloud environment set up and ready.

It does not require any maintenance from our side. Qualys takes care of its maintenance. There is a periodic maintenance schedule every quarter. 

The implementation was supported by a partner at Qualys who set up the cloud environment.

Qualys Patch Management comes as part of a bundled package with several modules, making it a cost-effective deal for us. I cannot speak to the separate cost, as we have always used it as part of the package.

I would recommend Qualys Patch Management to others because it is user-friendly and has a wide database of vulnerabilities and patches. I am fond of Qualys, having started my journey with them. Overall, I would rate the solution a ten out of ten.

Public Cloud

Other

We primarily use Qualys Patch Management for deploying Microsoft's monthly security updates, released every second Tuesday. To mitigate vulnerabilities, we promptly create patch jobs for all endpoints and servers upon release and inform stakeholders of the urgent need for deployment. We adhere to strict SLAs, ensuring the entire patch cycle is completed within one to two weeks.

We implemented Qualys Patch Management to efficiently patch our endpoints, and servers.

Qualys' risk-based approach to automation is helpful for addressing vulnerabilities. We utilize TruRisk management for a comprehensive risk overview, employing a tag-based system to assign criticality scores. This allows us to prioritize patching through Qualys Vulnerability Management, Detection, and Response based on the severity of risks.

The integration of Qualys Patch Management and VMDR is critical for automating the deployment of relevant patches and configurations to remediate vulnerabilities. Within our organization's 343,000 assets, multiple entities and tags allow us to leverage VMDR to identify critical vulnerabilities and prioritize patching for high-value machines. This integration enables us to proactively push patches to all server and endpoint agents, effectively mitigating vulnerabilities.

The implementation of Qualys Patch Management has resulted in the remediation of nearly 25 million vulnerabilities within our organization, significantly reducing our overall vulnerability count.

TruRisk automation allows us to address vulnerabilities without involving our security team, as we can directly assess their criticality levels.

Qualys Patch Management provides a single source of truth for managing assets and vulnerabilities, enabling assessment, prioritization, and remediation. Its comprehensive view of each asset streamlines collaboration between security and IT teams, facilitating efficient vulnerability management.

The single source of truth helped reduce costs by 95 percent.

We have improved our patch rate to over 86 percent by implementing Qualys Patch Management. Previously, patches were managed through both Microsoft Intune and SCCM, which proved less effective.

The risk reduction report allows us to split the remediation based on criticality.

The risk reduction report provides recommendations on how to remediate vulnerabilities. Once a fix is available, the corresponding patch can be deployed to all assets based on the associated CVE identifier.

Qualys Patch Management has reduced our organizational risk by 99.9 percent.

Qualys Patch Management offers excellent features, most notably the Qualys Gateway Service, which caches patches and distributes them to agents, minimizing bandwidth consumption. The platform provides comprehensive visibility into patch status across endpoints and servers, supporting Linux and macOS in addition to Windows. Qualys has been instrumental in our vulnerability remediation efforts, enabling us to address nearly 25 million vulnerabilities.

One area for improvement in Qualys Patch Management is knowing whether patches have been completely downloaded in a particular QGS appliance. If a platform owner could verify that patches are downloaded on the appliance side, it would be possible to push them through to all agents confidently.

I have been using the Patch Management solution for more than four years.

We did not encounter any significant stability issues. Control level issues can arise, but these can be addressed through support cases.

I rate the scalability of Qualys Patch Management ten out of ten.

I am completely satisfied with Qualys' customer service.

Positive

We are using SCCM and Intune, but they are not able to achieve the same Qualys patch percentages.

The initial setup was straightforward. Since Patch Management is not a separate module, it is integrated with the overall Qualys deployment, allowing us to enable licenses for VMDR and PM automatically.

To deploy on one machine it takes ten minutes.

To begin, we'll deploy the Qualys agent using an external tool on a separate system. Once the agent appears in the Qualys console, we can proceed by differentiating tags, assigning activation keys, verifying reported machines, and creating multiple vulnerability-based jobs.

We have achieved significant time savings of 90 percent, primarily due to comprehensive oversight and visibility of security issues. This streamlined approach reduces time spent addressing vulnerabilities and ensures efficient mitigation of any threats. Consequently, our robust security posture remains uncompromised, yielding substantial benefits.

Qualys Patch Management is a cost-effective solution for managing our 43,000-plus assets. Its efficiency and effectiveness in vulnerability remediation justify the associated expenses.

I would rate Qualys Patch Management ten out of ten.

To enhance visibility, we will utilize the TruRisk features more effectively in the future.

Our organization has 342,000 assets and over 150 people with access to Qualys, which is deployed across the entire organization.

No maintenance is required from our end.

I recommend Qualys Patch Management due to its comprehensive features. It saves time and provides significant tools for identifying vulnerabilities, pushing patches, and providing pre and post-action capabilities. Virtual patching is available to mitigate many vulnerabilities.

Public Cloud

Other

We use Qualys Patch Management to patch our servers, which run on both Linux and Windows operating systems.

We implemented Qualys Patch Management to identify and address operating system vulnerabilities.

A risk-based approach to automation prioritizes addressing vulnerabilities according to their criticality, ensuring that the most significant risks are mitigated first.

The integration of Qualys Patch Management and VMDR is crucial because it automates the process of identifying and deploying necessary patches and configuration changes to address vulnerabilities. This automation minimizes manual intervention, streamlining both patching and vulnerability scanning. The integrated system automatically generates reports that include vulnerability details and their corresponding Software Development Lifecycle phase, along with patching status and the number of systems patched across production, DMZ, and VOD environments.

We used to do manual patching, which took more time to complete. With Qualys Patch Management, we have reduced the time it takes to patch. We can now perform patching with a single click and obtain a report of the patch application. We saw the benefits of Qualys Patch Management within seven months.

Qualys Patch Management excels with its user-friendly interface and comprehensive reporting features. Additionally, it offers robust vulnerability scanning for both network devices and operating systems, ensuring thorough and effective security assessments.

The TruRisk automation has significantly reduced the time it takes for risk management and reporting.

Qualys Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

Qualys Patch Management enabled us to increase our patching frequency. Previously, limited staffing necessitated quarterly patching, but with Qualys, we can now patch monthly as releases become available. This proactive approach minimizes risk to our infrastructure.

We have integrated Qualys Patch Management with our SIEM solution, enabling us to build a single dashboard that displays vulnerability reports from both systems. This allows both the infrastructure and security teams to simultaneously access and utilize the Qualys Patch Management reports within the SIEM dashboard.

The organization's risk score has significantly improved since integrating with Qualys Patch Management. Previously at 60 percent, the score is now down to 39 percent, with the potential for even further reduction.

There are certain integration parts that could be improved. Sometimes, legacy operating systems are not supported by Qualys Patch Management, which is an issue. There should be a document readily available with Qualys that lists unsupported operating systems and provides solutions on how to achieve patching in other ways.

I have been using Qualys Patch Management for the last three years.

We have used Qualys Patch Management for the past three years without issue and would rate its stability a ten out of ten.

Qualys Patch Management is a globally scalable product, easily handling increasing workloads and users. Its scalability gets a ten out of ten rating.

We have not faced any challenges with customer service. Whenever we raised a case with Qualys for troubleshooting or any assistance, we received support as required.

Earlier, we were using Nessus. There were some challenges with Nessus, such as the reporting part not being customizable as per our requirements, and some management pricing issues. We conducted a POC and switched to Qualys Patch Management.

The initial setup was straightforward, with servers deployed in two days using a broadcasting tool for installation. This allowed for the successful deployment of Qualys Patch Management within one week.

With Qualys, we've experienced reductions of 70 percent in work hours and 30 percent in overall security costs.

The pricing is fair and within our budget. With the capabilities Qualys offers, we believe we are getting good value for the price.

I would rate Qualys Patch Management nine out of ten.

We use a ticket submission tool to assign IT service tickets. Once the IT team completes a ticket, they close it.

We have around 1,500 users that are located evenly between the office and home environments.

Qualys Patch Management typically requires maintenance only for agents that encounter operating system issues preventing automatic updates.

I recommend using Qualys due to its ease of deployment, automation capabilities that reduce human intervention, and cost-saving benefits. As a highly effective product, Qualys Patch Management may eliminate the need to consider alternative solutions.

On-premises

We are using the Qualys Patch Management and VMDR solution at a client location.

We primarily use Qualys Patch Management for the company's infrastructure. We utilize the core Patch Management module to remediate and manage patches. We mainly use it to address zero-day vulnerabilities and swiftly deploy patches across a large number of devices.

Whenever Microsoft releases any zero-day vulnerabilities, they provide a workaround. We are able to push that workaround from the Patch Management module. We can push the registry key changes or use the PowerShell script. We push changes to almost 600 devices in ten minutes. It helps us ensure our infrastructure security.

Qualys Patch Management has significantly improved our visibility into vulnerability remediation and patch severity. The solution has enabled us to remediate a large number of vulnerabilities and reduce our attack surface effectively.

We can track live updates and present dashboards to management, which has increased their confidence in our security posture. We can see the progress while pushing the patches. We have VMDR dashboards and reports. The reports are user-friendly, and everyone can understand these reports. We could also present them to the management. They were also happy to see the progress. They had visibility.

We have not implemented much automation. We are still in the early stages of this solution and testing out the possibilities. We had an issue because of the requirement that every server should be connected to the Internet before downloading the patches, but QGS was very helpful with that. QGS helps to ensure that we are able to patch devices that are not connected to the Internet.

We are able to prioritize the vulnerabilities and remediation. We did not see any discrepancies. With some of the other tools I have used, I have seen so many discrepancies between the vulnerability and the patching.

It helped our teams to work together. We created a separate team for vulnerability remediation. We also could help the patching team and support them in automating patch management. Previously, they were doing it manually on each server.

With Qualys Patch Management, there is an increase in vulnerability remediation. We have remediated almost 100,000 vulnerabilities. That is a huge count. Previously, we used a formula to identify critical vulnerabilities, and we could remediate only a limited number of vulnerabilities. With Qualys Patch Management, we could remediate all the vulnerabilities. We did not exclude any of the vulnerabilities.

There is also an increase in the patch rate. Previously, we could only cover 30% patching, whereas with Qualys Patch Management, within one and a half months, we could achieve 70% to 80% patching. The remaining ones are not included in the initial phase because of certain dependencies. We pushed data to almost 2,000 devices. It took some time for us to do the testing. We tested on ten production devices. After that, we pushed the patches to other devices.

We can download reports and customize the report templates based on the information we need. Our management could clearly see where we are now as compared to before. They could see our progress. They could see that we have fixed all high-priority ones within a month. The remaining ones are of medium and low priority. Even if we do not remediate them, it will be fine.

The Risk Reduction Recommendation Report helped us see which vulnerabilities would reduce the most risk within our organization.

The features I find most valuable in Qualys Patch Management include the ability to manage registry changes and run scripts both pre and post-patching. We have been able to apply workarounds for zero-day vulnerabilities efficiently.

Being able to create patch groups based on QIDs is also valuable. We can identify vulnerabilities using the QID and create a patch group. After that, we can push the patches.

They need to improve the user-friendliness of identifying how many devices are affected by a particular patch. It is not intuitive, and there should be clearer indicators or buttons to access this information easily. Currently, we have to go to the Patch Management module within an asset to see the information but not many people are aware of it. It is not intuitive in terms of seeing how many patches are pending on an asset. Other than that, it has everything we need.

I have been using Qualys Patch Management for approximately one year.

We faced an issue once due to a cloud-related problem that slowed down the console and presented device status inconsistencies, but it was resolved within four hours.

We have not encountered any scalability issues. We operate across multiple locations and have not faced any lags.

We have almost 125,000 users. We are a multinational company. We have offices in about 15 states in India. We are also in two or three other countries. This is why our asset count is high.

Customer service is exceptional. The support team is experienced and responsive, providing solutions quickly without delay. I would rate them a ten out of ten.

Positive

Before Qualys, we used Microsoft SCCM, which was not effective in progress tracking and vulnerability remediation. The tool was basic, the licensing cost was high, and we were only able to address 30% to 40% of vulnerabilities.

We proposed the Qualys Patch Management module. Its cost was almost similar but we got many more features. After implementing it, we could see the progress in vulnerability remediation and patching.

Qualys Patch Management also provided us with a variety of dashboards or criteria. We could see the number of patches done, pending, and failed. Microsoft SCCM did not give us that information. We could also export reports with Qualys Patch Management. This option was not available with Microsoft SCCM. 

In terms of user-friendliness, Microsoft SCCM is more user-friendly. It has fewer features and is very easy. Even a beginner can use Microsoft SCCM, which is not the case with Qualys Patch Management. 

It is a cloud solution, so everything required is provided by Qualys. 

It does not require any maintenance from our end.

We required assistance from the Qualys team for the initial setup and configuration as we were not familiar with setting up and configuring QGS at the time.

It has saved us resources. We now have only two people for patch management.

The pricing is reasonable and competitive. We get many more features at the same price as other solutions such as Microsoft SCCM.

It is worth the money considering the services and features it has. Their support team is also awesome.

We evaluated Rapid7 as an alternative to Qualys but found it lacking in some features that Qualys offered.

I would recommend Qualys Patch Management to every organization looking for better patch management and remediation. I would recommend opting for the cloud version of Qualys Patch Management as it is easier and faster to use compared to an on-premises solution.

I would rate Qualys Patch Management a ten out of ten. It makes my job easy.

Public Cloud

Other