Qualys Patch Management Reviews

Initially, we were using Qualys Patch Management for TruRisk vulnerability detections. I am on the risk operations side, so I also used it to determine ways to fix a particular vulnerability and address it.

I used Patch Management with Qualys VMDR when I was doing a proof of concept with Patch management. It works well. To me, it was just a shortcut or another way to patch a system versus doing it with the job, but it was straightforward.

We were able to realize its benefits immediately. Patch Management gave my side and the security side a single pane of glass and the ability to better coordinate the delivery of patches. After using it, I felt a lot more comfortable with it. 

TruRisk gives the confidence that we are attacking the major issues, but we do leverage our security team to make the final decision. It does help.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

Currently, we are in a hybrid environment until we fully transition over. We have Ivanti and Qualys. They are two separate agents, two separate infrastructures. Moving to Qualys Patch Management gives us instant access to all of the systems we have. We do not have to worry about building up new infrastructure. We just go and start patching. It streamlines everything a lot, especially the dialogue between our teams, that is, the risk side versus the security side. It reduces confusion over patches.

Patch Management has definitely given us the opportunity to do more hands-off patching. Some in my team are manually pushing the patches out. We click a button, schedule it, and shoot it out. We are going to take advantage of zero-touch patching for browsers. We are going to do a lot more scheduled or agent-based patching. It will be hands-off. It will free us up to do more analytical things and spread ourselves out to other tasks.

Patch Management will help us reduce our organization's risk. We have not had the opportunity to start using it the way we want to. We are still early on, but just from what I see, I expect that it would have a significant impact on our ability to patch. Personally, I think the impact will be significant.

We recently got their Patch Management solution, which is the most important thing for me at this time. Previously, vulnerability detection was most valuable.

Patch Management's risk-based approach to creating automation to address risks is very important. I just came from the conference, and I understand it a lot more. It definitely is important. I like it a lot.

I would like a more clear distinction in terms of something I call a patch contract. A patch contract is a bundle of patches that we are going to roll out. I would like to reference those patches from separate jobs. They explained at a conference that it cannot be done, but that is my main complaint. I wish that the whole schema was a little bit clearer because there is a little bit of cloudiness around it. Everything else seems to be fairly straightforward.

Additionally, I know there is a cost associated with this, but it would be nice if instead of us having to roll and host our own custom files on AWS or something like that, Qualys could provide some space, even if just a gigabyte or 500 megabytes.

I have been using it for about a year or two.

Overall, I have not experienced any issues with Qualys as a whole, although the security team once mentioned something about the system being down. I will learn more as I get more and more into patching with it.

I have not yet contacted their support.

Neutral

Right now, we are using a mixture of security controls and endpoint management. I have used solutions like Ivanti, Altiris, Intune, and WSUS, among others. I have seen a lot of patch management solutions.

Ivanti is closest to Qualys. Both of them are built on the same Shavlik engine. Qualys is better for my situation because it is cloud-based. I do not have to worry about on-prem things I do right now. I am familiar with Patch Management because underneath it is the same Shavlik engine that is used by Ivanti. I am familiar with the log files and things like that.

That was the easiest thing to do. All the hard work had already been done. After the security team has the agents installed, we start working our magic. It does not get easier than that.

We have not yet fully deployed it, so I cannot say how long it takes to fully deploy it, but getting it established and started was quick.

From what I have heard, Qualys Patch Management is pricey, which is a main barrier to entry. Another aspect that I do not like about Qualys is that they do not add new patch management functionalities to the existing package. It is a separate SKU, so you have to pay more money.

I would rate Qualys Patch Management a nine out of ten.

In the previous company, the customer was using Qualys Patch Management tool, and they were using more than one lakh assets in that organization. The Qualys Patch Management tool helped significantly in that case.

The risk-based approach Qualys Patch Management uses is very good for easily getting the details. That is one of the factors in the prioritization of the vulnerability. We can see if a patch is or is not available. The details are easily obtained through risk analysis. If everything is available, we still need to know which one to prioritize, and this approach helps us significantly with priorities.

We saw an improvement in our patch rates from using Qualys Patch Management, especially with respect to automated patches. 

We got the consolidated data, and using automated Patch Management for a few assets saved a lot of time because we don't have to do it manually or raise tickets for everything. 

By trusting Qualys Patch Management, we remediated many vulnerabilities, especially with Windows.

The consolidated report we received from the solution was very time-saving because, in the dashboard, we could get all the patch details for a particular patch and all the assets listed. That was very easy. Instead of going through Excel sheets, we could easily pull up the data and produce it based on the operating system, distribution, and other things. 

False positives were the biggest concern. 

We also had some concerns with respect to the Cloud Agent. VMDR is something that whoever uses Qualys Patch Management will always use. We used both, but sometimes we got different details in Patch Management and VMDR. The data differs, especially with Cloud Agent-installed assets. We have had to contact their technical support many times, especially for Cloud Agent troubleshooting. We raised many feature requests with Qualys for Cloud Agent and faced many issues with it. Cloud Agent always gave us trouble, not just with Qualys, but with other tools too. However, compared with others, Qualys did have more issues with Cloud Agent.

I used Qualys Patch Management for one year.

The platform maintenance is according to what we have seen. A few times Qualys was not reachable for very few minutes, but stability-wise, it is a very good product.

Scalability-wise, Qualys Patch Management is a very good product. I never faced any issues with any of that.

I would rate them a ten out of ten for support because they are very approachable. Whenever we raise a request and mention the priority of the ticket, they respond immediately via email or call.

Positive

We were using another tool before Qualys Patch Management, though I don't remember which one. When we did the PoC, compared to Qualys, the other tool was giving less data, and that is why we moved to Qualys Patch Management.

My overall rating for Qualys Patch Management is a ten out of ten.

I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.

We can prioritize vulnerabilities using Qualys' risk-based approach. The platform offers a prioritization tab that allows us to tailor the process to the company's requirements. Whether the focus is on risk, asset criticality, or exploitability, we can leverage the prioritization tag in Qualys to manage and address vulnerabilities effectively.

It's important that Qualys Patch Management and VMDR integration encompasses all necessary patches and configuration changes to address vulnerabilities identified by VMDR. This integration ensures real-time detection and remediation of vulnerabilities.

The TruRisk Insights allows us to prioritize and remediate threats without involving our security team.

Qualys Patch Management provides a single source of information to access asset and vulnerability data. Granting the IT team access to the Patch Management module lets them retrieve information through alerts. Through this module, the team receives email alerts about patch failures, enabling them to redeploy patches and investigate the cause of failure, such as machines rebooting at the scheduled time.

Qualys Patch Management helps prioritize vulnerabilities based on risk and asset criticality, facilitating the patching process. 

The integration with ServiceNow helps close tickets faster by automating tasks and alerting the IT team when a patch has failed.

Patch management provides more clarity from the dashboard and console, which is very helpful for our team to prioritize and take prior action.

Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.

I have been using Qualys Patch Management for more than two years.

The customer support team is quite responsive and always ready to assist. When I submit a request, they promptly contact me and, if necessary, schedule a call to efficiently address my questions, even during my early days with the product.

Positive

Previously, we used BigFix and SSCM modules for patch application but have since transitioned to Qualys Patch Management for a more streamlined approach. Qualys Patch Management provides a single console for patch management and VMDR, simplifying operations and automating reporting.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.

Qualys has a scanning tool for viruses, vulnerability, and malware detections. They recently launched Qualys Patch Management for patching applications or server sites. We previously used tools like SCCM or Microsoft Intune. Qualys Patch Management is a replacement for all those kinds of tools, but we mainly use it for patching the applications, not the servers.

If a server has two applications, and one has a patch and the other one does not have a patch, you do not need to worry. You just select the server and the patches you want to deploy. If you have selected four patches but only two are applicable, it will only deploy the ones that are applicable. The other two are skipped so that there are no issues or errors with the existing image. That is an advantage of this solution.

There is no automation. You have to manually create a job. There is a scanned report, and based on that, you can select a patch or server. You can select multiple servers or multiple patches. 

We have used the solution's Risk Reduction Recommendation Report. After the remediation, we run the scan again. It is simple.

Using Patch Management, we have not seen any improvement in our patch rates.

For a few applications, you do not need to go and download the patches from the network or somewhere else. They have the patches or the latest updates in the directory. You can just select a patch and deploy it to a server. You can create a patch job and select the patch. Everything is within the interface. You do not need to go out of it.

It is user-friendly. It is not complex.

The Qualys Scanning tool is one of the best tools for scanning purposes, virus detection, and vulnerability detection, whereas Qualys Patch Management is helpful only in a few cases, not in all cases.

There are multiple tools for patching, such as SCCM, Intune, or Ivanti. One of the challenges that we have faced with the Patch Management tool is that you cannot patch all the things. There are some limitations, whereas, in SCCM, we can create a package and just deploy that through it. Anything is deployable through SCCM, whereas Patch Management is very selective. They should support more applications. For example, you cannot push a patch on Oracle.

There is not much automation. For example, with SCCM, you can push anything, but that is not the case with Qualys.

We have faced a few corruptions while patching. Even though a patch is feasible through Qualys Patch Management, when we try to push it to our servers, we face some errors or interruptions. When we push the patch, something gets blocked and the patch fails. Even if the patch is within the directory of Qualys, we cannot push it. There are some errors.

The Qualys support team can be more communicative. Just sharing a knowledge-based article does not help all the clients or all people. A knowledge-based article might be useful for a technical person, but it does not help someone who is not very technical. They should have a call-based approach. Even companies like Microsoft provide an option for a call for a support case, which allows you to discuss the issue and troubleshoot it quickly. Qualys should improve their support. 

I have been using this solution from the beginning or since it was launched. It was launched recently. It has been one to two years.

It is stable. I would rate it a nine out of ten for stability.

I would rate it a ten out of ten for scalability. Its scalability is very good. It can be expanded, but it also depends on the licensing part.

It is being used for the whole organization for patch management. We have 70 to 80 users using this solution.

We faced challenges with their support for the issues that we raised. When you raise a case, they just share a knowledge-based article with you. It is very tough to catch them over a call and have a live troubleshooting session to understand the issue. You cannot just be dependent on the knowledge base articles. Sometimes, you have to go in-depth and do research to understand the cause of the issue. Their support team was not very helpful or communicative.

The experience might vary based on the priority of the case. It might be different when you have a high-priority case. The cases that we raise are at P3 or P4 levels because we are not completely dependent on Qualys Patch Management. For a P1 or P2 case, they might have a different approach.

Neutral

Previously, we were using Ivanti and SCCM. They are more comprehensive, and you can push anything. You can even create a script or a package and push it through them, and it will be deployed on all the servers. Qualys Patch Management is very limited compared to SCCM, Intune, or Ivanti. Having said that, it is quite new. It was launched one or two years ago. They need some time to improve their services.

Its deployment is straightforward.

We have both cloud and on-prem servers. We do patch deployment on both. We can do an immediate deployment or a scheduled deployment. It takes time based on the application size, server count, etc. If the file is of a few MBs, it does not take more than one or two minutes. If it is a huge file, then it will take longer, but everything is reasonable. I have not seen any delays. The run time is good. It is not an issue. The only issue is that a few blockers need to be corrected.

It does not require much maintenance, but the support should be better from their side.

Once you have deployed a job, it runs automatically. You need to go and check it only if there is a failure. You do not need to manually manage anything. Once a job is created, it runs automatically at a scheduled time. All that is automatically done at the backend.

It is affordable, but they should provide features as per the rate they are charging. We have a big infrastructure with about 80,000 licenses. We expect better support from the Qualys team. So, it is affordable, but more features should be there, and the support should be better.

At this time, I would not recommend Qualys Patch Management because there are multiple features that need to be developed from their end. You cannot deploy everything through it. I might recommend it in the future. It needs some time to be fully developed.

I would rate Qualys Patch Management a six out of ten because of the support quality and lack of features.

By implementing this solution, we wanted to fix vulnerabilities as soon as possible in both software and operating systems. Qualys Patch Management gives us the power to solve vulnerabilities quickly and keep our environment safe.

We have not yet seen many benefits because we are still deploying patch policies. We are doing that first with a test group. We have not done 100% patch management. By next month, we will have 100% management through Qualys Patch Management. We expect to see about 99.9% of assets updated all the time. We have great expectations.

We can create rules based on risk. We do not make it 100% automatic for servers because there is a higher chance of issues, but for PCs, we can do 100% automation. Based on the risk for an operation, we can create some sort of policies.

We are deploying both Qualys Vulnerability Management and Qualys Patch Management. Qualys Vulnerability Management was deployed one month ago. For the last month, we have been working to deploy Qualys Patch Management. They are being deployed side by side. The benefit of this is that Qualys Patch Management can solve all the vulnerabilities found by Qualys Vulnerability Management. One part of the tool detects the vulnerabilities and then the other part fixes them. They work together.

Patch Management will help reduce our organization's risk, but it is hard to say how much it will reduce the risks.

Policy enforcement requires less time for my team because users cannot avoid applying updates. The user can skip two or three times or for a maximum of eight hours. After that, there is no way to avoid it. It helps us keep the environment safe.

Its implementation is too recent to make any judgments about areas needing improvement. In terms of pricing, of course, it is not free. Cheaper is always better. If possible in the future, it would be good if it is cheaper.

It has been deployed very recently and we are still in the process of deploying it throughout our organization.

So far, stability has been good with no issues.

I know that as a cloud solution, it would be easy to scale, but I do not have any experience with it. We just deployed it, so there is no need to scale at this time.

I have not had to contact support, so I cannot comment on customer service.

Neutral

We previously used Microsoft WSUS. However, it did not offer the same level of management and enforcement as Qualys Patch Management.

Qualys Patch Management gives me all kinds of management options. I have good visibility into vulnerabilities on each asset. Microsoft WSUS does not give me this sort of management level. We also could not meet the expectation of a 99.9% patch rate with Microsoft WSUS.

It is too early to determine the return on investment.

The licensing cost is more than 2,000 for the whole Americas region.

We have not integrated Qualys Patch Management with CMDB or ITSM tools for ticket management. This Qualys Patch Management deployment is done at the Americas region level, and the ITSM that we have in place is only in South America. Companies in the Americas region do not have ITSM, so there is no integration yet.

I would rate Qualys Patch Management an eight out of ten.

My organization uses Qualys Patch Management internally, including its core patching functionality and Vulnerability Management, Detection, and Response. As a consultant, I help several Qualys user clients with best practices and similar tasks, addressing use cases ranging from vulnerability reduction and patch management to asset management.

Qualys is a cloud-based platform. While they offer a private cloud option at a higher cost, their core functionality resides in the cloud. The lightweight agents we install on our systems simply collect data and upload it to the cloud-based Qualys interface. The only exceptions are passive sensors like network sniffers and on-premise scanners, which are optional deployments for specific needs. This cloud-centric approach eliminates the need for us to manage on-premise servers, unlike some competing products like baramundi.

Qualys query language simplifies patch selection by allowing us to define risk-based criteria. We can target patches based on severity medium to critical and Qualys rating while excluding specific unwanted patches like "Patch xyz". As long as a patch meets our pre-approved criteria, it's automatically selected, making the approval process quick and efficient.

The Patch Management integration with VMDR including all development patches and configuration changes required to remediate vulnerabilities detected by the VMDR is significantly important.

While Qualys offered benefits initially, the deployment of the cloud agent truly transformed our security posture. Previously, regular scans provided only point-in-time vulnerability identification. Now, with continuous updates from the cloud agent every four hours, we have near real-time visibility into our risk levels, allowing us to prioritize and swiftly address vulnerabilities to minimize overall security exposure.

TruRisk automation streamlines vulnerability remediation by prioritizing threats based on real-world exploitability, not just a generic CVSS score. This allows us to focus on the most critical issues first, avoiding the time-wasting whack-a-mole approach of patching everything at once. While all vulnerabilities eventually need to be addressed, TruRisk helps us prioritize effectively and work through them in a methodical way.

Qualys' prioritization feature streamlines vulnerability management by offering a central hub to find, rank, and address critical security issues. This unified approach significantly improves collaboration between security and IT teams. Previously, prioritizing vulnerabilities was often a matter of simply patching critical ones. Patching policies also play a role, with most companies aiming for a 30-day window or less for critical patches. While the industry average turnaround is 17 days, faster patching remains crucial. Qualys' TruRisk scoring system helps identify outliers – vulnerabilities that might slip through the cracks in a well-managed environment. Traditional patching methods, like Microsoft's WSUS, may miss these outliers, but Qualys excels at finding them, providing better communication and faster remediation.

This single source has helped reduce soft costs where employees were wasting time spinning their wheels searching for answers. This newfound focus allows them to dedicate their energy to more important tasks.

Prior to implementing patch management, a random sampling of systems would often reveal outdated patches, some exceeding 60 days old. However, with patch management in place, finding such aged patches is now a rarity.

We integrated Patch Management on top of Qualys VMDR. This gave us a lot more visibility and accuracy.

Patch Management has helped to reduce our organizational risk.

The most valuable feature in Patch Management is the Qualys query language for set-it-and-forget-it patching for our preapproved patches, and our preapproved schedules, That is extremely helpful compared to the old days of patching.

A common area for improvement in Patch Management, both within our environment and others I've encountered, is the lack of built-in driver updates. Ideally, the system would handle updates for network interface cards, video cards, and other components, eliminating the need to rely on manufacturer-specific tools like Dell Update or HP Update. Integrating these patching options would significantly improve the overall functionality.

Qualys Patch Management primarily updates operating systems, third-party software including Adobe products and many more, leaving video card drivers and firmware updates to other tools. This focus on core software is understandable, as driver and firmware updates can be more complex.

The price has room for improvement.

I have been using Qualys solutions for over 20 years.

Qualys Patch Management is very stable. They clearly communicate any scheduled maintenance in advance, and these updates typically require no downtime. In rare cases of major maintenance, they might announce limited portal access during specific hours. Like any software, occasional minor glitches can occur, but we can easily check for known issues at status.qualys.com before troubleshooting on our own. Overall, Qualys Patch Management is a reliable solution.

Qualys Patch Management is highly scalable. 

Qualys technical support has been excellent recently. While there have been occasional periods of lower satisfaction in the past, similar to any organization, they seem to be prioritizing customer happiness. This is evident by their recent staffing improvements, which have led to my last few support requests being resolved quickly and efficiently.

With extensive system use, I've occasionally received initial responses from what seems like level-one support. I then need to clarify and request further troubleshooting before they escalate the issue.

Positive

Qualys Patch Management deployment is straightforward as long as we have the right team, whether it's a consulting firm or our own IT staff familiar with whitelisting. This is because whitelisting the Qualys Cloud Agent on systems protected by endpoint security tools like Carbon Black or CrowdStrike is crucial to prevent them from blocking the agent. Fortunately, the whitelisting requirements are well-documented, making implementation smooth for a prepared team.

A single person can handle the deployment if they have permission to distribute the cloud agent, install on-premise scanners, and build the virtual machine for the scanner. In fact, several of my colleagues successfully manage deployments for large organizations on their own.

Qualys Patch Management's pricing is competitive. While some perceive it as expensive, competitor tools are similar. While a free option like Microsoft WSUS exists, it lacks features. While I'd prefer Qualys VMDR to include Cyber Security Asset Management for a more attractive overall package, Patch Management itself remains competitively priced. Scaling brings lower per-asset costs, and Qualys recently introduced better pricing bundles for smaller environments.

To verify Qualys Patch Management's effectiveness, I've occasionally used free tools like Patch My PC to scan for missed patches. These scans consistently come up clean, giving me confidence that Qualys Patch Management is doing a good job.

While both Qualys Patch Management and baramundi Update Management are powerful tools, Qualys offers a clear advantage in ease of use. For organizations with large IT teams that can handle a more hands-on approach, baramundi can be effective, but it requires more ongoing management compared to Qualys' set-and-forget approach. Notably, baramundi goes beyond patching with software distribution capabilities, but this additional functionality comes at the cost of increased complexity. Ultimately, for those seeking a simpler solution, Qualys is the better choice.

I would rate Qualys Patch Management ten out of ten.

While the initial setup involves deploying cloud agents, Qualys Patch Management is low maintenance. Updates for both agents, signatures, and related components are automatic. Qualys handles maintenance in the cloud, and new systems are easily enrolled with agents through software distribution or policy enforcement.

New Qualys Patch Management users should consult the documentation and training resources before deploying. While a trusted partner can assist with implementation, understanding the process is crucial. Qualys offers free training to cover essential steps like agent deployment, configuration, and security considerations to ensure successful patching. Don't skip these steps, as seemingly minor setup issues can hinder functionality. This applies not just to Qualys, but to any endpoint security solution.

We use Qualys Patch Management to fix patch vulnerabilities in our environment. We're dealing with machines that have pending updates, and we need to configure our console.

In Qualys, we configure Tanium, and Qualys acts as a collaborator with Tanium in our environment. We address machine details, compare with SSCM tools, and manage assets and hardware. Qualys allows us to automate and fix patches through the tool, achieving a compliance rate of over 95%.

In our environment, the application sometimes crashes, requiring improvement. Additionally, the user interface could be made easier to use, especially for system administrators.

I have been using Qualys for about one year.

We have sometimes escalated questions due to application crashes, which need improvement.

Positive

We previously worked with Microsoft Endpoint Configuration Manager (SSCM) for about two and a half years, yet faced issues with achieving target compliance.

I was not involved in the initial setup of the Qualys solution.

I am not able to give a proper answer regarding the return on investment.

I am not familiar with the pricing or setup cost of the Qualys solution.

Compared to other tools, Qualys is better due to its automation capabilities, which allow us to achieve high compliance rates. 

I rate Qualys Patch Management a ten out of ten.

Mostly, I've used it because I'm working in the Vulnerability Management Team. I've done the POC for Patch Management and then handed over the product to the Patch Management Team, which handles the patching. I tested the module by Qualys, exploring the functionality of the Patch Management module, such as available patches. All these tasks were completed by me before procuring the product, and then access was provided to another team that uses it for patching. As part of the Vulnerability Management Team, my work involves overseeing the entire Qualys product, including VMDR, FedRAMP, cloud agents, and other functionalities.

The first thing I would say is the ease of use. It's so user-friendly that even a newcomer in IT can use it directly. It helps reduce our attack surface by patching all software vulnerabilities and deploying patches directly from the console. The connection and integration between different tools are excellent, allowing continuous monitoring of the types of patches released, which can be quickly deployed onto the systems. The dashboards help identify what type of patch I want to deploy and which patches are missing.

There is room for improvement in the inclusion of more patches. That's the only improvement I would suggest. Not all patches are available on Qualys, so they need to get licenses for other patches as well. That would be more helpful.

I have used the solution for 3 years.

It's quite stable. I would say it’s a nine.

Scalability, it's dependable.

Technical support, I would say it’s about seven and a half.

We used BigFix before.

For Patch Management, the testing part took about one to two weeks. Procurement took one week because it was pending with the procurement team. Overall, I guess it took about a month.

We have saved time and resources by detecting vulnerabilities, which helps us patch many assets. I can't quantify it exactly, but it's significant as it prevents vulnerabilities from being exploited. If those vulnerabilities were open and we did not have Qualys or similar solutions, we would have been at risk of attacks. I cannot give a specific number, but having a Vulnerability Management tool has a significant impact.

These two tools are completely different. BigFix is a full-fledged patching tool where you can directly apply patches but cannot view vulnerability data. On Qualys, you can see vulnerabilities and deploy patches directly. It offers a different perspective by allowing you to view a vulnerability and deploy a remedying patch. Qualys acts like both a vulnerability management tool and a patching tool, which is quite beneficial. Tools like Nessus, Rapid7 handle vulnerability management, while BigFix, SCCM handle patching.

I would recommend it because of its ease of use and integration as both a Vulnerability Management and Patch Management tool. I rate it nine out of ten.