My name is Gift Denison Djemeda, and I stay in Botswana, a country in Southern Africa, where my full title is a Vulnerability Management Specialist, focusing on vulnerability management and infrastructure patching. I have been working in this field for about three years in the vulnerability management space, but before that, I worked as an infrastructure specialist. My main role within the vulnerability management space in Qualys Patch Management involves relying on it as one of the core tools; my responsibility involves not just running patches but ensuring that vulnerabilities are reduced in a measurable and sustainable way across the environment, with a key focus on understanding the gap between detection and remediation, where the real challenge lies in ensuring patches are correctly matched to assets and deployed successfully. Qualys Patch Management has enabled us to quickly patch devices when it comes to zero-day vulnerabilities; for instance, when there was a vulnerability for a software called SAP, we were able to write a script to forcefully push a patch and change some registry keys immediately to resolve that particular vulnerability before any attacker could take advantage of the situation. On a day-to-day basis, I take a proactive approach by conducting training sessions for both end-users and engineers, as Qualys Patch Management is not only a patch management tool but also a vulnerability management scanner that continuously scans the environment across all live devices, allowing us to see different vulnerabilities and alerts that keep us on our toes. Since implementing Qualys Patch Management, we have seen measurable improvements in remediation speed, reducing our patch turnaround time significantly from four weeks with a compliance of about 60% to about 24 to 48 hours for critical vulnerabilities with an average vulnerability count per device down to around 10.
My main use case for Qualys Patch Management is to automate and deploy patches across our enterprise infrastructure, specifically for Windows and Linux servers. I use it to bridge the gap between finding a vulnerability and actually fixing it, creating a unified workflow for the IT and security teams. This unified workflow helps my IT and security teams work together effectively by ensuring our asset tagging is perfectly organized before using Qualys Patch Management. If your tags are wrong, you might deploy patches to the wrong servers and cause operational impact. I rate the solution an eight out of ten.
Senior Application Support Engineer at a financial services firm with 10,001+ employees
Real User
Top 10
Mar 10, 2026
We have over 1,800 servers, and we perform Qualys finding remediation along with some TSRs every week and month. We check whether findings available in the dashboard have been addressed, and then we proceed with security remediations across all servers with the development team. Currently, on each server, we have some remediations that we need to perform, including kernel updates and library directory updates. Whatever older directories are coming under Qualys findings, we maintain those servers as healthy and keep the updated software on the servers that our clients use. We use the data available in the satellite for kernels and maintain that software across all servers. Once security remediation is completed, we submit a scan. The dashboard we use has around a thousand records or findings. We check whether each finding has been dropped. Once we start remediating, the finding should be dropped. However, there are some places where it does not drop from the dashboard. In those cases, we raise tickets to Qualys team and ask them to remediate. We provide appropriate data, including information about the change, the time it was done, and confirmation that the finding was not present in the scan report. We send that data via email to Qualys team, and they reach out to us asking for confirmation. Once we confirm, they remediate it from the dashboard. We cannot manually log in to each server and remediate the findings that are available because that would take a huge amount of time. Instead, we have automation where remediation is performed on the servers themselves. Suppose we have 600 servers. We cannot log in to each server individually, so we keep one automation where the server will automatically take itself out of rotation if it has live traffic and place itself on a maintenance page. This automation takes care of each patching task without requiring manual intervention. We have a security team that reviews any security compliances, potential leakages, or breaches on the servers. If there are any issues, we conduct a quick review and immediately schedule a change and manually perform it in a short time period. We have that automated. Currently, our project has four data centers, and each data center has approximately 40 to 50 servers. We have automation that segregates each server based on its type, such as web and gateway and API server. We have one dashboard called ZSM, Zero Touch Patching, where we have onboarded all the servers into that portal. Whenever we have findings on particular patch plans or servers, we select one and set a Risk Reduction Target of next 20 days. We can then remediate JDK Java upgrades, Linux kernel upgrades, TSR emulation, or whatever application we select. The remediation process goes through several steps. First, it checks if the data center is disabled or not. Next, it checks if VBMS is on a maintenance page or if particular servers are in maintenance mode. Then it triggers the update. The fourth step maintains the process and sends an email. The fifth step sends an email to our team once patching is complete. The sixth step enables the data center, and the seventh step closes the change in a particular portal. Since it goes through all these steps, we just maintain whether each step is executing properly or not. We see if the particular server is in maintenance page on the backend. Once everything looks good, we acknowledge it and send it to patching. We have one dashboard called VBMS, Vulnerability Management tool, which shows particular ATC. Suppose an application has one secondary contact. Under that contact, there are multiple applications. We have a call every week, like a security call. We join that and see what findings are there. For example, with a JDK upgrade finding with a 20-day Risk Reduction Target, we have a sign-off on which version we need to deploy for the upgrade. We send an email to the development team and the security team. They verify whether that particular version is available in the portal or in the satellite. Once they give us a green flag, we schedule the changes along with all the patch plans. Another team checks findings using a Risk Reduction Recommendation Report approach in Qualys, checking with their respective teams to determine which findings are causing security issues. We do the work on the backend while they check on the front end. Last week, we had an issue where they sent a package that was available in the satellite but had not been tested. When we deployed it, we caused an application error and the clients were impacted, resulting in a war call. We halted everything and sat on that one patch group for two days where it was causing an impact. The other team and our team worked together and determined that the current version was different compared to what was in the satellite. Once they checked it, they provided the correct version, and we completed everything in 32 to 33 hours.
My main use case for Qualys Patch Management is to identify vulnerabilities and suggest patches, and I also make use of support automation for policy configuration. A specific example of how I use Qualys Patch Management in my day-to-day work is that it helps me find critical vulnerabilities in our system and enhance and reduce exposure to unknown exploits, providing us a compliance-driven environment. I use Qualys Patch Management in finding critical vulnerabilities.
Information Communication Technology Manager at Solusi University
Real User
Top 20
Feb 20, 2026
The purpose of using Qualys Patch Management in my organization is to ensure that our systems are always up to date and to protect against vulnerabilities from attackers. Before we started using the patch management module, we were using the vulnerability management module, and we noted that we have a lot of CVEs that keep changing for some of the platforms that we are using. It was normally difficult for us to know and tell that a new patch had been deployed that addresses a certain CVE that had been discovered as a vulnerability, whether minor or major. We then decided to implement this particular module so that whatever we do, we know it will push all patches onto the servers and into the applications that we are using, such as PHP, Apache, or Nginx. Looking also at the agentic vulnerabilities and threats coming with agentic models or LLMs, Qualys Patch Management became ideal because we wanted an automated environment.
Project Management Director at a tech services company with 201-500 employees
Real User
Top 5
Feb 3, 2026
Our clients vary greatly because we support many other technologies, such as Microsoft 365. Our clients can range from fewer than 100 to up to 2,000 or 3,000 devices.
Cyber Expert at Ministry of Electronics and Information Technology
Real User
Top 5
Jan 30, 2026
Qualys Patch Management includes cloud simplicity and a very straightforward interface, which is why it is preferable. Our client has a specific requirement that we use Qualys Patch Management because it may be recommended by the client. Other various technical specifications are involved, such as cloud-based patch management, which is easily accessed via its SaaS platform, and no on-prem patch servers are utilized, ensuring centralized control and access within hybrid cloud environments. Cloud Agent drives patch management with its very lightweight agent at endpoint servers, creating minimal load. Another use case is that it operates without VPN for outbound connectivity and provides real-time patch visibility. I have deployed the solution across various environments, including cloud, on-premises, and hybrid models, utilizing different licenses across data centers. The primary cloud data centers in India operating on AWS or Azure support all types of environments without limitations.
Security Solutions Engineer at a consultancy with 11-50 employees
Real User
Top 5
Nov 18, 2025
I have experience using Qualys because I'm a pre-sales engineer in one of the systems integrator companies here in the Philippines. I am also handling and selling Qualys, doing presentations to our clients. I have already tried using Qualys Patch Management and VMDR together. Qualys Patch Management is under Qualys VMDR, which first performs asset management by gathering and enrolling the assets needing protection or scanning in the IT infrastructure. Once those devices or endpoints are enrolled in Qualys VMDR, they become visible in Qualys Patch Management tab, allowing you to define and see which assets need patching and the patches that need to be deployed.
Senior Infrastructure Architect at a tech vendor with 10,001+ employees
Real User
Top 20
Oct 22, 2025
We do it for our OS patching across multiple clouds. If we don't put GE Vernova on there, then I can say we use it for AWS and Azure, plus on-prem. It's used across OS platforms too, so Windows and Linux-based. Our OS team uses it monthly to patch, and then we also supplement third-party software, such as Chrome, Edge, Notepad++, Wireshark, and all that software that people will install and forget to uninstall and forget that they have to patch it. We do that almost weekly as well.
IT Security Manager at a manufacturing company with 10,001+ employees
Real User
Top 5
Oct 21, 2025
My use cases for Qualys Patch Management involve checking the vulnerabilities, seeing what patches come out for Patch Tuesdays. I check different threat sites for any vulnerabilities related to anything that we have on our software stack and then see if those vulnerabilities affect our systems. If they do, I get them on a patch schedule.
Our use case for Qualys Patch Management is patching and updating. We use it for adding and removing local admin to the machines, along with various other tasks.
I am a customer of this solution and use it internally in my company. Currently, I am working with the latest version of Qualys Patch Management, which is the 2025 version. We use Qualys Patch Management for all our clients as well as our complete environment, managing about 30,000 endpoints and about 12,000 servers for one of the hospitals. We scan every weekend and get the results in our dashboards, allowing us to create deployments for browsers daily, and we have specific dates for pushing patches on other servers. For endpoints, we push the patches every month for five days.
I am using Qualys Patch Management for two years, and everything is satisfactory from my side. Before purchasing Qualys Patch Management, we were already using Qualys VMDR and the cloud agent model. At that time, we were generating reports and facing issues with patching vulnerabilities. Large vulnerabilities, such as Google Chrome and browser-related issues, were appearing every two weeks, making it difficult to patch. Similarly, we were getting browser vulnerabilities and software-related vulnerabilities. It became very easy to automate this process and showcase the management of vulnerability remediation cost. Initially, we were doing it manually, so we implemented Qualys Patch Management as a solution. The management was ready to take the initiative. We purchased around 2000 licenses and started patching approximately 1600 servers. We initially only patched the server and focused on some vulnerabilities as zero-day vulnerabilities for preventive methods. The preventive method gave us the capability to run scripts and make registry changes through Qualys Patch Management. We patched more than 1000 assets in one go, which was a significant initiative for us.
Sr Security Engineer at a tech services company with 10,001+ employees
Real User
Top 20
Mar 20, 2025
I use Qualys Patch Management as a single platform for patch management. We have Microsoft, Adobe, and various other apps. I create a scheduled task to push all the required patches to the laptops so that they have the latest version of these apps. We also do compliance checks to ensure that, for example, we have the golden image on our servers and laptops. We use it for scanning to ensure that configurations are correct and based on the CIS guidelines. All our servers and laptops have the Qualys agent, and we can then push the patches to those devices.
Mostly, I've used it because I'm working in the Vulnerability Management Team. I've done the POC for Patch Management and then handed over the product to the Patch Management Team, which handles the patching. I tested the module by Qualys, exploring the functionality of the Patch Management module, such as available patches. All these tasks were completed by me before procuring the product, and then access was provided to another team that uses it for patching. As part of the Vulnerability Management Team, my work involves overseeing the entire Qualys product, including VMDR, FedRAMP, cloud agents, and other functionalities.
Information Communication Technology Specialist at UNIVERSITY OF JOHANNESBURG
Real User
Top 5
Feb 4, 2025
We are in the education industry, and we perform weekly scans. On weekends, we scan our entire management, servers, and expectations. Then on Monday, I set up some weekly reports. From these, I'll have my vulnerabilities and Patch management reports showing which third-party applications I installed on users' workstations. I tested these on a Monday or Tuesday with Patch Management. If all goes well, by Wednesday or Thursday, I'm patching the rest of the environment. In terms of workstations, I scan and patch them weekly, but for servers, I wait for the Microsoft patching cycle. Only then do we patch the servers, allowing for a restart for each update. After the Microsoft updates, we can restart our servers.
Vulnerability Management Engineer at a comms service provider with 10,001+ employees
Real User
Top 10
Dec 27, 2024
I use Qualys Patch Management to patch vulnerable applications such as Mozilla Firefox and Java. Additionally, I use features like registry updates and scripting options available in the Patch Management deployment module. Our usage is about 70%.
Our primary use case for Qualys Patch Management is vulnerability remediation and running scripts. It helps us detect vulnerabilities in our environment and identify specific patches that are required. If we want to mitigate any vulnerabilities, we can run scripts. It is utilized on a very large scale in our organization. Before Qualys Patch Management, the challenge that we faced was that we were able to detect the vulnerabilities using Qualys VMDR, but mitigation was not easy. Qualys Patch Management helped us to identify which specific patch is required and which patch is missing from our environment. Most of the time, we considered the most suited patches to make sure that all the vulnerabilities get remediated but that was not always the case. We also wanted to see the old patches that were missing. Qualys Patch Management helped us there.
I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.
It streamlines and automates the process of identifying, prioritizing, and deploying patches across various operating systems and applications. It helps us in reducing vulnerability.
Security Portfolio Manager at a tech vendor with 10,001+ employees
Real User
Top 5
Nov 29, 2024
We have been using Qualys Patch Management alongside vulnerability management. We utilize it to manage high and critical vulnerabilities by prioritizing patches based on asset value and vulnerability score. We rate our asset with an asset value. Along with that, once we have a vulnerability score, we prioritize patches and servers that are high and critical. That is how we utilize both vulnerability management and patch management.
Systems Mgmt Consultant at a healthcare company with 10,001+ employees
Real User
Top 5
Nov 20, 2024
We use Qualys Patch Management for server deployment and workstation deployment. It is also used for vulnerability management, managing open ports, and remediating vulnerabilities.
Cybersecurity Engineer at a manufacturing company with 51-200 employees
Real User
Top 5
Oct 18, 2024
We use almost every module that Qualys has, except the EDR, which is endpoint protection. They came up with that module last year. We use their patch management, vulnerability scanners, cloud agents, and network passive scanners. We are using everything that is available.
System Architect at a leisure / travel company with 10,001+ employees
Real User
Top 5
Oct 17, 2024
Initially, we were using Qualys Patch Management for TruRisk vulnerability detections. I am on the risk operations side, so I also used it to determine ways to fix a particular vulnerability and address it.
Foundation Services Director at a leisure / travel company with 10,001+ employees
Real User
Top 10
Oct 14, 2024
Our primary use case is to try to reduce our time to remediate. One of our sister teams, the attack surface team, uses the scanning piece. Therefore, we thought it would be best to close the ecosystem and use the patching piece. The feedback from the PoC made it evident that making a shift was necessary. By implementing Qualys Patch Management, we wanted to reduce the meantime to remediate and have the ability to weigh our threats so that we are not just patching everything; we are patching what is most critical to our environment. The automation capability that it has to create jobs, set them, and forget them was very intriguing to our business.
System Admin at a insurance company with 501-1,000 employees
Real User
Top 20
Oct 14, 2024
Qualys Patch Management is used to address and remediate server vulnerabilities. It provides a dashboard with information on remediation steps, vulnerability severity, impact, and other relevant details. This tool effectively manages and mitigates security vulnerabilities, ensuring the security of our infrastructure.
SOC - Cyber Security Engineer at a computer software company with 201-500 employees
Real User
Top 10
Sep 25, 2024
Our use cases for Qualys vary depending on the client. I work for a Paris-based French company that provides cybersecurity and metadata services to multiple clients. We primarily use Qualys to check the core infrastructure that hosts everything, scanning and remediating vulnerabilities. We work with multiple teams, so if we identify a patching issue using Qualys, we might need to escalate it to another department. For example, if we identify a vulnerability in a CI/CD tool the DevOps team uses in Terraform, we're not supposed to touch it. We recommend a time frame for the DevOps team to apply the patch. If the issue is high-severity, they may need to address it as soon as possible. We run the scans, get the reports, and create recommendations. We have integrated Qualys with our homegrown ticketing tool, but we plan to migrate to ServiceNow. It's a gradual process. Microsoft Sentinel, our SIEM solution, sends alerts to our internal detection and monitoring tool, which ServiceNow will soon replace. Our SIEM tool is responsible for monitoring the overall risk, while we use Qualys to report vulnerabilities that need to be patched.
Qualys has a scanning tool for viruses, vulnerability, and malware detections. They recently launched Qualys Patch Management for patching applications or server sites. We previously used tools like SCCM or Microsoft Intune. Qualys Patch Management is a replacement for all those kinds of tools, but we mainly use it for patching the applications, not the servers.
My organization uses Qualys Patch Management internally, including its core patching functionality and Vulnerability Management, Detection, and Response. As a consultant, I help several Qualys user clients with best practices and similar tasks, addressing use cases ranging from vulnerability reduction and patch management to asset management. Qualys is a cloud-based platform. While they offer a private cloud option at a higher cost, their core functionality resides in the cloud. The lightweight agents we install on our systems simply collect data and upload it to the cloud-based Qualys interface. The only exceptions are passive sensors like network sniffers and on-premise scanners, which are optional deployments for specific needs. This cloud-centric approach eliminates the need for us to manage on-premise servers, unlike some competing products like baramundi.
Qualys Patch Management offers asset visibility, risk-based prioritization, and automation to enhance security. It integrates with VMDR for vulnerability prioritization, ensuring efficient patch deployment and reduced manual effort.Qualys Patch Management focuses on automating patch deployment and bridging the gap between vulnerability identification and resolution. It supports Windows and Linux servers, providing real-time assessments and comprehensive reporting. The integration with VMDR...
My name is Gift Denison Djemeda, and I stay in Botswana, a country in Southern Africa, where my full title is a Vulnerability Management Specialist, focusing on vulnerability management and infrastructure patching. I have been working in this field for about three years in the vulnerability management space, but before that, I worked as an infrastructure specialist. My main role within the vulnerability management space in Qualys Patch Management involves relying on it as one of the core tools; my responsibility involves not just running patches but ensuring that vulnerabilities are reduced in a measurable and sustainable way across the environment, with a key focus on understanding the gap between detection and remediation, where the real challenge lies in ensuring patches are correctly matched to assets and deployed successfully. Qualys Patch Management has enabled us to quickly patch devices when it comes to zero-day vulnerabilities; for instance, when there was a vulnerability for a software called SAP, we were able to write a script to forcefully push a patch and change some registry keys immediately to resolve that particular vulnerability before any attacker could take advantage of the situation. On a day-to-day basis, I take a proactive approach by conducting training sessions for both end-users and engineers, as Qualys Patch Management is not only a patch management tool but also a vulnerability management scanner that continuously scans the environment across all live devices, allowing us to see different vulnerabilities and alerts that keep us on our toes. Since implementing Qualys Patch Management, we have seen measurable improvements in remediation speed, reducing our patch turnaround time significantly from four weeks with a compliance of about 60% to about 24 to 48 hours for critical vulnerabilities with an average vulnerability count per device down to around 10.
My main use case for Qualys Patch Management is to automate and deploy patches across our enterprise infrastructure, specifically for Windows and Linux servers. I use it to bridge the gap between finding a vulnerability and actually fixing it, creating a unified workflow for the IT and security teams. This unified workflow helps my IT and security teams work together effectively by ensuring our asset tagging is perfectly organized before using Qualys Patch Management. If your tags are wrong, you might deploy patches to the wrong servers and cause operational impact. I rate the solution an eight out of ten.
We have over 1,800 servers, and we perform Qualys finding remediation along with some TSRs every week and month. We check whether findings available in the dashboard have been addressed, and then we proceed with security remediations across all servers with the development team. Currently, on each server, we have some remediations that we need to perform, including kernel updates and library directory updates. Whatever older directories are coming under Qualys findings, we maintain those servers as healthy and keep the updated software on the servers that our clients use. We use the data available in the satellite for kernels and maintain that software across all servers. Once security remediation is completed, we submit a scan. The dashboard we use has around a thousand records or findings. We check whether each finding has been dropped. Once we start remediating, the finding should be dropped. However, there are some places where it does not drop from the dashboard. In those cases, we raise tickets to Qualys team and ask them to remediate. We provide appropriate data, including information about the change, the time it was done, and confirmation that the finding was not present in the scan report. We send that data via email to Qualys team, and they reach out to us asking for confirmation. Once we confirm, they remediate it from the dashboard. We cannot manually log in to each server and remediate the findings that are available because that would take a huge amount of time. Instead, we have automation where remediation is performed on the servers themselves. Suppose we have 600 servers. We cannot log in to each server individually, so we keep one automation where the server will automatically take itself out of rotation if it has live traffic and place itself on a maintenance page. This automation takes care of each patching task without requiring manual intervention. We have a security team that reviews any security compliances, potential leakages, or breaches on the servers. If there are any issues, we conduct a quick review and immediately schedule a change and manually perform it in a short time period. We have that automated. Currently, our project has four data centers, and each data center has approximately 40 to 50 servers. We have automation that segregates each server based on its type, such as web and gateway and API server. We have one dashboard called ZSM, Zero Touch Patching, where we have onboarded all the servers into that portal. Whenever we have findings on particular patch plans or servers, we select one and set a Risk Reduction Target of next 20 days. We can then remediate JDK Java upgrades, Linux kernel upgrades, TSR emulation, or whatever application we select. The remediation process goes through several steps. First, it checks if the data center is disabled or not. Next, it checks if VBMS is on a maintenance page or if particular servers are in maintenance mode. Then it triggers the update. The fourth step maintains the process and sends an email. The fifth step sends an email to our team once patching is complete. The sixth step enables the data center, and the seventh step closes the change in a particular portal. Since it goes through all these steps, we just maintain whether each step is executing properly or not. We see if the particular server is in maintenance page on the backend. Once everything looks good, we acknowledge it and send it to patching. We have one dashboard called VBMS, Vulnerability Management tool, which shows particular ATC. Suppose an application has one secondary contact. Under that contact, there are multiple applications. We have a call every week, like a security call. We join that and see what findings are there. For example, with a JDK upgrade finding with a 20-day Risk Reduction Target, we have a sign-off on which version we need to deploy for the upgrade. We send an email to the development team and the security team. They verify whether that particular version is available in the portal or in the satellite. Once they give us a green flag, we schedule the changes along with all the patch plans. Another team checks findings using a Risk Reduction Recommendation Report approach in Qualys, checking with their respective teams to determine which findings are causing security issues. We do the work on the backend while they check on the front end. Last week, we had an issue where they sent a package that was available in the satellite but had not been tested. When we deployed it, we caused an application error and the clients were impacted, resulting in a war call. We halted everything and sat on that one patch group for two days where it was causing an impact. The other team and our team worked together and determined that the current version was different compared to what was in the satellite. Once they checked it, they provided the correct version, and we completed everything in 32 to 33 hours.
My main use case for Qualys Patch Management is to identify vulnerabilities and suggest patches, and I also make use of support automation for policy configuration. A specific example of how I use Qualys Patch Management in my day-to-day work is that it helps me find critical vulnerabilities in our system and enhance and reduce exposure to unknown exploits, providing us a compliance-driven environment. I use Qualys Patch Management in finding critical vulnerabilities.
The purpose of using Qualys Patch Management in my organization is to ensure that our systems are always up to date and to protect against vulnerabilities from attackers. Before we started using the patch management module, we were using the vulnerability management module, and we noted that we have a lot of CVEs that keep changing for some of the platforms that we are using. It was normally difficult for us to know and tell that a new patch had been deployed that addresses a certain CVE that had been discovered as a vulnerability, whether minor or major. We then decided to implement this particular module so that whatever we do, we know it will push all patches onto the servers and into the applications that we are using, such as PHP, Apache, or Nginx. Looking also at the agentic vulnerabilities and threats coming with agentic models or LLMs, Qualys Patch Management became ideal because we wanted an automated environment.
Our clients vary greatly because we support many other technologies, such as Microsoft 365. Our clients can range from fewer than 100 to up to 2,000 or 3,000 devices.
Qualys Patch Management includes cloud simplicity and a very straightforward interface, which is why it is preferable. Our client has a specific requirement that we use Qualys Patch Management because it may be recommended by the client. Other various technical specifications are involved, such as cloud-based patch management, which is easily accessed via its SaaS platform, and no on-prem patch servers are utilized, ensuring centralized control and access within hybrid cloud environments. Cloud Agent drives patch management with its very lightweight agent at endpoint servers, creating minimal load. Another use case is that it operates without VPN for outbound connectivity and provides real-time patch visibility. I have deployed the solution across various environments, including cloud, on-premises, and hybrid models, utilizing different licenses across data centers. The primary cloud data centers in India operating on AWS or Azure support all types of environments without limitations.
I have experience using Qualys because I'm a pre-sales engineer in one of the systems integrator companies here in the Philippines. I am also handling and selling Qualys, doing presentations to our clients. I have already tried using Qualys Patch Management and VMDR together. Qualys Patch Management is under Qualys VMDR, which first performs asset management by gathering and enrolling the assets needing protection or scanning in the IT infrastructure. Once those devices or endpoints are enrolled in Qualys VMDR, they become visible in Qualys Patch Management tab, allowing you to define and see which assets need patching and the patches that need to be deployed.
My use cases for Qualys Patch Management are primarily for Windows workstations.
We do it for our OS patching across multiple clouds. If we don't put GE Vernova on there, then I can say we use it for AWS and Azure, plus on-prem. It's used across OS platforms too, so Windows and Linux-based. Our OS team uses it monthly to patch, and then we also supplement third-party software, such as Chrome, Edge, Notepad++, Wireshark, and all that software that people will install and forget to uninstall and forget that they have to patch it. We do that almost weekly as well.
My use cases for Qualys Patch Management involve checking the vulnerabilities, seeing what patches come out for Patch Tuesdays. I check different threat sites for any vulnerabilities related to anything that we have on our software stack and then see if those vulnerabilities affect our systems. If they do, I get them on a patch schedule.
Our use case for Qualys Patch Management is patching and updating. We use it for adding and removing local admin to the machines, along with various other tasks.
I am a customer of this solution and use it internally in my company. Currently, I am working with the latest version of Qualys Patch Management, which is the 2025 version. We use Qualys Patch Management for all our clients as well as our complete environment, managing about 30,000 endpoints and about 12,000 servers for one of the hospitals. We scan every weekend and get the results in our dashboards, allowing us to create deployments for browsers daily, and we have specific dates for pushing patches on other servers. For endpoints, we push the patches every month for five days.
Automated Vulnerability Remediation at Scale
Key Objectives:
Rapid Identification of Vulnerabilities:
Automated Patch Deployment:
Compliance Achievement:
Custom Reporting & Dashboards:
Integration with Change Management:
Exception Handling & Risk-Based Prioritization:
I am using Qualys Patch Management for two years, and everything is satisfactory from my side. Before purchasing Qualys Patch Management, we were already using Qualys VMDR and the cloud agent model. At that time, we were generating reports and facing issues with patching vulnerabilities. Large vulnerabilities, such as Google Chrome and browser-related issues, were appearing every two weeks, making it difficult to patch. Similarly, we were getting browser vulnerabilities and software-related vulnerabilities. It became very easy to automate this process and showcase the management of vulnerability remediation cost. Initially, we were doing it manually, so we implemented Qualys Patch Management as a solution. The management was ready to take the initiative. We purchased around 2000 licenses and started patching approximately 1600 servers. We initially only patched the server and focused on some vulnerabilities as zero-day vulnerabilities for preventive methods. The preventive method gave us the capability to run scripts and make registry changes through Qualys Patch Management. We patched more than 1000 assets in one go, which was a significant initiative for us.
I use Qualys Patch Management as a single platform for patch management. We have Microsoft, Adobe, and various other apps. I create a scheduled task to push all the required patches to the laptops so that they have the latest version of these apps. We also do compliance checks to ensure that, for example, we have the golden image on our servers and laptops. We use it for scanning to ensure that configurations are correct and based on the CIS guidelines. All our servers and laptops have the Qualys agent, and we can then push the patches to those devices.
Mostly, I've used it because I'm working in the Vulnerability Management Team. I've done the POC for Patch Management and then handed over the product to the Patch Management Team, which handles the patching. I tested the module by Qualys, exploring the functionality of the Patch Management module, such as available patches. All these tasks were completed by me before procuring the product, and then access was provided to another team that uses it for patching. As part of the Vulnerability Management Team, my work involves overseeing the entire Qualys product, including VMDR, FedRAMP, cloud agents, and other functionalities.
We are in the education industry, and we perform weekly scans. On weekends, we scan our entire management, servers, and expectations. Then on Monday, I set up some weekly reports. From these, I'll have my vulnerabilities and Patch management reports showing which third-party applications I installed on users' workstations. I tested these on a Monday or Tuesday with Patch Management. If all goes well, by Wednesday or Thursday, I'm patching the rest of the environment. In terms of workstations, I scan and patch them weekly, but for servers, I wait for the Microsoft patching cycle. Only then do we patch the servers, allowing for a restart for each update. After the Microsoft updates, we can restart our servers.
I use Qualys Patch Management to patch vulnerable applications such as Mozilla Firefox and Java. Additionally, I use features like registry updates and scripting options available in the Patch Management deployment module. Our usage is about 70%.
Our primary use case for Qualys Patch Management is vulnerability remediation and running scripts. It helps us detect vulnerabilities in our environment and identify specific patches that are required. If we want to mitigate any vulnerabilities, we can run scripts. It is utilized on a very large scale in our organization. Before Qualys Patch Management, the challenge that we faced was that we were able to detect the vulnerabilities using Qualys VMDR, but mitigation was not easy. Qualys Patch Management helped us to identify which specific patch is required and which patch is missing from our environment. Most of the time, we considered the most suited patches to make sure that all the vulnerabilities get remediated but that was not always the case. We also wanted to see the old patches that were missing. Qualys Patch Management helped us there.
I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.
It streamlines and automates the process of identifying, prioritizing, and deploying patches across various operating systems and applications. It helps us in reducing vulnerability.
We have been using Qualys Patch Management alongside vulnerability management. We utilize it to manage high and critical vulnerabilities by prioritizing patches based on asset value and vulnerability score. We rate our asset with an asset value. Along with that, once we have a vulnerability score, we prioritize patches and servers that are high and critical. That is how we utilize both vulnerability management and patch management.
We use Qualys Patch Management for server deployment and workstation deployment. It is also used for vulnerability management, managing open ports, and remediating vulnerabilities.
We use Qualys Patch Management to detect open vulnerabilities and manage patches.
We use almost every module that Qualys has, except the EDR, which is endpoint protection. They came up with that module last year. We use their patch management, vulnerability scanners, cloud agents, and network passive scanners. We are using everything that is available.
Initially, we were using Qualys Patch Management for TruRisk vulnerability detections. I am on the risk operations side, so I also used it to determine ways to fix a particular vulnerability and address it.
Our primary use case is to try to reduce our time to remediate. One of our sister teams, the attack surface team, uses the scanning piece. Therefore, we thought it would be best to close the ecosystem and use the patching piece. The feedback from the PoC made it evident that making a shift was necessary. By implementing Qualys Patch Management, we wanted to reduce the meantime to remediate and have the ability to weigh our threats so that we are not just patching everything; we are patching what is most critical to our environment. The automation capability that it has to create jobs, set them, and forget them was very intriguing to our business.
Qualys Patch Management is used to address and remediate server vulnerabilities. It provides a dashboard with information on remediation steps, vulnerability severity, impact, and other relevant details. This tool effectively manages and mitigates security vulnerabilities, ensuring the security of our infrastructure.
Our use cases for Qualys vary depending on the client. I work for a Paris-based French company that provides cybersecurity and metadata services to multiple clients. We primarily use Qualys to check the core infrastructure that hosts everything, scanning and remediating vulnerabilities. We work with multiple teams, so if we identify a patching issue using Qualys, we might need to escalate it to another department. For example, if we identify a vulnerability in a CI/CD tool the DevOps team uses in Terraform, we're not supposed to touch it. We recommend a time frame for the DevOps team to apply the patch. If the issue is high-severity, they may need to address it as soon as possible. We run the scans, get the reports, and create recommendations. We have integrated Qualys with our homegrown ticketing tool, but we plan to migrate to ServiceNow. It's a gradual process. Microsoft Sentinel, our SIEM solution, sends alerts to our internal detection and monitoring tool, which ServiceNow will soon replace. Our SIEM tool is responsible for monitoring the overall risk, while we use Qualys to report vulnerabilities that need to be patched.
Qualys has a scanning tool for viruses, vulnerability, and malware detections. They recently launched Qualys Patch Management for patching applications or server sites. We previously used tools like SCCM or Microsoft Intune. Qualys Patch Management is a replacement for all those kinds of tools, but we mainly use it for patching the applications, not the servers.
My organization uses Qualys Patch Management internally, including its core patching functionality and Vulnerability Management, Detection, and Response. As a consultant, I help several Qualys user clients with best practices and similar tasks, addressing use cases ranging from vulnerability reduction and patch management to asset management. Qualys is a cloud-based platform. While they offer a private cloud option at a higher cost, their core functionality resides in the cloud. The lightweight agents we install on our systems simply collect data and upload it to the cloud-based Qualys interface. The only exceptions are passive sensors like network sniffers and on-premise scanners, which are optional deployments for specific needs. This cloud-centric approach eliminates the need for us to manage on-premise servers, unlike some competing products like baramundi.