Qualys Patch Management Reviews

What are your main use case/s for Qualys Patch Management?

4C6.44772 4 6 4.44772 6 5V12V19C6 19.5523 6.44772 20 7 20H14C15.1935 20 16.3381 19.5259 17.182 18.682C18.0259 17.8381 18.5 16.6935 18.5 15.5C18.5 14.3065 18.0259 13.1619 17.182 12.318C16.9031 12.0391 16.5914 11.8006 16.2559 11.6063C17.0535 10.7703 17.5 9.65816 17.5 8.5C17.5 7.30653 17.0259 6.16193 16.182 5.31802C15.3381 4.47411 14.1935 4 13 4H7ZM13 13H8V18H14C14.663 18 15.2989 17.7366 15.7678 17.2678C16.2366 16.7989 16.5 16.163 16.5 15.5C16.5 14.837 16.2366 14.2011 15.7678 13.7322C15.2989 13.2634 14.663 13 14 13H13ZM13 11C13.663 11 14.2989 10.7366 14.7678 10.2678C15.2366 9.79893 15.5 9.16304 15.5 8.5C15.5 7.83696 15.2366 7.20107 14.7678 6.73223C14.2989 6.26339 13.663 6 13 6H8V11H13Z">

I have worked with Qualys Patch Management as part of my Cloud Operations responsibilities while supporting enterprise Linux and Windows environments. One of the clients I worked, a cloud-based security company, where vulnerability remediation and patch management were part of our regular operational activities.

One thing I liked about Qualys is that it provides a centralized view of vulnerabilities and missing patches across the infrastructure. Instead of manually checking servers, we could quickly identify systems requiring attention and prioritize remediation based on severity. This helped us improve patch compliance and maintain a better security posture across both production and non-production environments.

In our day-to-day operations, Qualys was useful for tracking vulnerabilities, scheduling patch deployments, monitoring patch status, and generating reports. The visibility provided by the platform made it easier for the operations team to coordinate patching activities and ensure systems remained up to date.

For larger environments with 100+ servers, patching required proper planning and execution. We generally followed a phased approach. Servers were removed from the load balancer in batches, patches were applied, systems were rebooted if required, and functionality was validated before placing them back into service. This approach helped minimize risk and avoid service disruptions.

We also used Ansible extensively to automate repetitive remediation tasks and patch deployments. Qualys helped us identify vulnerabilities, while Ansible was used to streamline the actual patching process wherever automation was feasible.

In my current project, I have again been working with Qualys over the last few months, including installing and managing Qualys agents on both Linux and Windows servers as part of the initial setup and vulnerability assessment process. We continue to review vulnerability findings regularly and plan remediation activities based on business and operational requirements.

One challenge we occasionally faced during large-scale deployments was troubleshooting failed patches or agent communication issues. These situations required additional investigation and manual intervention. However, with proper planning and automation, most patching activities were completed successfully.

Overall, my experience with Qualys Patch Management has been positive. It provides good visibility into vulnerabilities, simplifies patch tracking, and helps operations teams maintain security compliance across their infrastructure.

One of the things I like most about Qualys Patch Management is the centralized visibility it provides. From a single dashboard, we can quickly identify missing patches, review vulnerabilities, and understand which systems require immediate attention. This made it much easier for our team to prioritize critical vulnerabilities and plan remediation activities across both Linux and Windows servers.

In my experience, the integration between vulnerability findings and patch management was very useful because it helped us quickly understand which vulnerabilities had available fixes and what actions were required. This reduced the time spent manually analyzing reports and allowed us to focus on remediation.

From an operations perspective, Qualys helped us track patch compliance, schedule patching activities, monitor deployment status, and generate reports for internal teams. It gave us good visibility into the overall health of our infrastructure and helped ensure that systems remained updated with the latest security fixes.

Another feature that helped us was the Qualys agent. Since the agents continuously reported vulnerability and patch information back to the platform, we always had an up-to-date view of our servers without needing to perform manual checks. This was especially useful in environments with a large number of servers.

For automation, we used Ansible alongside Qualys findings. Once vulnerabilities and missing patches were identified, we leveraged Ansible playbooks to automate remediation activities wherever possible. This significantly reduced manual effort and helped maintain consistency during large-scale patching activities.

In some environments, we were managing more than 100 servers at a time. During patching windows, we followed a phased approach by removing servers from the load balancer, applying patches, validating application functionality, and then bringing the servers back into service before proceeding with the next batch. Having accurate patch and vulnerability information from Qualys made this process much easier to manage.

Overall, Qualys Patch Management helped us improve patch compliance, reduce security risks, and streamline our patching process. It became an important part of our monthly maintenance activities and helped us maintain a secure and stable environment across both production and non-production systems.

One area where I think Qualys Patch Management can improve is reporting and dashboard customization. As patching and vulnerability remediation are regular operational activities, having more flexible reporting options and granular insights would help operations teams track patch compliance, remediation status, failed deployments, and outstanding vulnerabilities more effectively.

In larger environments, it would also be useful to have more customizable dashboards tailored to different teams such as operations, security, and management. This would make it easier to view the most relevant information without creating multiple reports.

Another improvement could be enhanced troubleshooting information for failed patch deployments or agent communication issues. During large-scale patching activities, having more detailed error reporting would help teams identify and resolve issues faster.

Overall, my experience with Qualys Patch Management has been positive. It provides good visibility into vulnerabilities and patch compliance, and with some additional reporting and dashboard enhancements, it would be even more useful for day-to-day operational teams.

I have been working with Qualys Patch Management for almost five years.

Whenever I faced any issue and I raised a ticket with Qualys team, immediately they supported and fixed our issues, which ultimately saved us from any upcoming issues.

The support I got was absolutely great. I rarely used to go to Qualys tech support because most things are provided well in the documents so that we rarely have to rely on customer support. But whenever we raised any ticket with the customer support, it was a good experience, so I rate it nine out of 10.

Qualys is one of the topmost vulnerability scanning tools. We actually rely on it only. It was already there when I joined the project, and in my previous project, it was already implemented.

We have the ITSM tools in place and we do have it integrated. Automatically, the ticket is getting generated and all the records are being tracked: when was the last remediation done, were there any issues reported after the remediations, and all those things we take into consideration for tracking purposes and which users have done that.

Cloud-based integration has helped us close tickets faster. We have Patch Management on the existing one. We completely rely on Qualys Patch Management. We have only Qualys, and we have installed Qualys agents on all our environments for the scanning and fixing part.

Qualys Patch Management has helped us a lot, actually. To be frank, we don't have any other vulnerability tools. We have only this Qualys Patch Management in place, so we completely rely on Qualys itself. Qualys agents really helped us ensure our servers are always remediation free and the latest patches are there.

I am not working on the cost aspect of Qualys Patch Management, but that part is taken care of by the senior team. We have the license for 500 servers, and each agent is fixed up for that.

I 100% rely on Qualys Patch Management. I don't have any other resources. Because it is centralized, as I mentioned earlier, we have the dashboards. The access is provided to the security team as well as the CloudOps team, Cloud Admin team which I am working with. Everyone being on the same page means these are the server lists which we are observing that needs to be remediated. Everyone takes the actions accordingly.

I have used Qualys Patch Management's Risk Reduction Recommendation report for a few of my servers. We are not 100% relying on it because we have a few applications that need to be checked with our developers. Whatever the recommendation is there, for example, if they have recommended 10 vulnerabilities, we mostly rely on that, but not 100%. We also need to check from our side, so mostly we take seven to nine recommendations. Qualys Patch Management provides us with the list of the vulnerabilities, so accordingly, we can take remediations. Qualys suggests, because it usually follows a scanning technique. It captures everything into the picture. Whatever the recommendations they have given, we also consider and try to use.

I would definitely recommend Qualys Patch Management because it has a great scanning vulnerability mechanism in place. They have created user-friendly dashboards, and the latest scans happen at the back end even if we don't do it manually, providing us with reports. In case any critical vulnerability is there, they immediately send us the email notification that this is the critical vulnerability that needs to be fixed urgently, so Qualys has the best mechanism integrated with our infrastructure. I rate this solution an 8 out of 10.

I was the user of Qualys Patch Management. The client purchased the tool, and as a security delivery lead, my responsibility was to provide the complete vulnerability management solution along with patch configuration and patch management. I have used Patch Management in Qualys along with the VMDR.

There are several features in Qualys Patch Management that have proven very helpful. The first is the automated patch deployment module. If Qualys Patch Management detects any critical vulnerability, I can schedule a patch that will automatically detect the vulnerability and check if a patch is available. If a patch is available, it deploys automatically, which helps in vulnerability remediation. Manual patching takes considerably more time, but automation reduces the time significantly.

Another valuable feature is critical security patch prioritization. When Qualys Patch Management detects critical vulnerabilities, it can help prioritize them. Some vulnerabilities are patch-specific, while others require configuration support. Once I deployed Qualys Patch Management, all patch-related vulnerabilities that are patchable are automatically mitigated. This allows my vulnerability management team and remediation team to focus only on vulnerabilities where a patch is not available or where configuration changes are needed. This reduces almost 30 to 40% of effort and time for the overall team.

When I use VMDR and Qualys Patch Management together, there are several best features I can achieve. The first is a unified VMDR and Qualys Patch Management integration in a single place. The direct integration between vulnerability findings and remediation workflows automatically prioritizes patches and deploys them automatically, which reduces significant time and effort. This also protects endpoints or assets in a more effective way. Another benefit is risk-based prioritization. Without automation, I would need to review all vulnerability reports, do the prioritization first, then schedule for the patch and deploy it. Qualys VMDR provides vulnerability prioritization, and when integrated with Qualys Patch Management, it automatically prioritizes critical vulnerabilities and high-security vulnerabilities, deploying patches automatically if available.

I can highlight two areas for improvement. The first is better reporting flexibility and dashboard customization. Qualys VMDR has a great dashboard that I can customize, but Qualys Patch Management does not have a specific dashboard associated only with patch management and patch compliance. The customization could be improved significantly.

The second area is third-party application coverage. Qualys Patch Management works very effectively when patching servers, internal servers, Windows, iOS, or Linux servers. However, when doing application security with third-party applications that require patches, it sometimes fails to complete the patch. The deployment issue with third-party applications needs enhancement, as even with integration, Qualys Patch Management is not able to deploy patches for some third-party applications. These are the two main points I can highlight for improvement.

I can say that 80 to 85% of vulnerabilities that are patchable and already have patches available will be handled through this integration. Almost 85 to 90% of the time, patches will deploy automatically. I can verify this with the remediation team and run another vulnerability scan to check if it is working properly. However, for some vulnerabilities or assets, it did not work properly, requiring me to raise a support ticket with Qualys. Additionally, I need to perform some configuration changes until the patch is deployed. So 85 to 90% of the time, patches will deploy automatically if available.

I rate Qualys customer service almost eight or nine because I have reached out to them many times, not only for integration but also for false positive analysis. I have raised issues when the scanner was not working properly or when there were authentication profile issues. They have proper communication skills along with technical expertise. They have been great and helped me tremendously in learning about Qualys and completing integrations.

The setup was not very complex because Qualys provides proper documentation and free training. I am also Qualys certified with four certifications from Qualys. If I follow the documentation and processes, and if VMDR is already deployed, Qualys Patch Management deployment is very straightforward. From an engineering perspective, it takes only one to two days. In a cloud environment, deployment should be completed within one day. In an on-premises environment, authentication takes more time and sometimes authentication fails. In that case, the maximum deployment and testing time is two days, not more than that.

I have used Nessus, Qualys, Tenable Nessus, Qualys, and Rapid7, discovering and working on three tools. From my perspective, not only Qualys Patch Management but the overall Qualys package comes with Qualys VMDR, Cloud Agent, Qualys Patch Management, and EASM (External Attack Surface Management). All those features are excellent in the current market. Qualys is providing the best solution when it comes to vulnerability management, vulnerability prioritization, and a risk-based approach to enhance security.

I have worked at TCS previously and used Qualys Patch Management for multiple projects in manufacturing, banking, insurance, and enterprise environments. If you are working on any enterprise-related project or focusing on vulnerability management or application security, Qualys Patch Management can be beneficial across all sections because it provides numerous features. Deploying and learning Qualys will be very beneficial.

From my perspective, Qualys Patch Management provides significant benefits in both hybrid environments. When integrating with AWS or Azure systems through cloud agents, I get almost 90-95% patches from Qualys Patch Management. When deployed on-premises in a local server with proper authentication, it is not 100% beneficial and requires some manual intervention. I need to check and prioritize patches and verify deployment. However, when integrating with cloud-based solutions, you gain substantial advantages from Qualys Patch Management.

I have used the risk reduction recommendation report primarily in VMDR for risk reduction. The VMDR module provides vulnerability and risk prioritization. Along with that, I use vulnerability maturity models because my CMDB contains many assets. Some assets are external-facing, which have higher risk, while internal assets are categorized based on whether they are production or non-production environments. Apart from severity, Qualys VMDR provides the TruRisk score, which I use for vulnerability prioritization to determine critical assets and prioritize them accordingly.

From a risk perspective, with Qualys Patch Management integrated with cloud and VMDR solutions, whenever vulnerability reports or scans are generated, Qualys VMDR automatically prioritizes vulnerabilities using severity, TruRisk score, and CVSS matrices. Qualys Patch Management has the capability to identify which vulnerabilities to prioritize first. Even without manual identification, Qualys can automatically identify critical vulnerabilities, and Qualys Patch Management automation will automatically deploy those patches. This entire architecture of Qualys VMDR, Qualys Patch Management, and cloud or SaaS solutions or on-premises deployment creates the complete advantage.

I rate this product nine out of ten overall.

We have over 1,800 servers, and we perform Qualys finding remediation along with some TSRs every week and month. We check whether findings available in the dashboard have been addressed, and then we proceed with security remediations across all servers with the development team.

Currently, on each server, we have some remediations that we need to perform, including kernel updates and library directory updates. Whatever older directories are coming under Qualys findings, we maintain those servers as healthy and keep the updated software on the servers that our clients use. We use the data available in the satellite for kernels and maintain that software across all servers.

Once security remediation is completed, we submit a scan. The dashboard we use has around a thousand records or findings. We check whether each finding has been dropped. Once we start remediating, the finding should be dropped. However, there are some places where it does not drop from the dashboard. In those cases, we raise tickets to Qualys team and ask them to remediate. We provide appropriate data, including information about the change, the time it was done, and confirmation that the finding was not present in the scan report. We send that data via email to Qualys team, and they reach out to us asking for confirmation. Once we confirm, they remediate it from the dashboard.

We cannot manually log in to each server and remediate the findings that are available because that would take a huge amount of time. Instead, we have automation where remediation is performed on the servers themselves. Suppose we have 600 servers. We cannot log in to each server individually, so we keep one automation where the server will automatically take itself out of rotation if it has live traffic and place itself on a maintenance page. This automation takes care of each patching task without requiring manual intervention.

We have a security team that reviews any security compliances, potential leakages, or breaches on the servers. If there are any issues, we conduct a quick review and immediately schedule a change and manually perform it in a short time period.

We have that automated. Currently, our project has four data centers, and each data center has approximately 40 to 50 servers. We have automation that segregates each server based on its type, such as web and gateway and API server. We have one dashboard called ZSM, Zero Touch Patching, where we have onboarded all the servers into that portal. Whenever we have findings on particular patch plans or servers, we select one and set a Risk Reduction Target of next 20 days. We can then remediate JDK Java upgrades, Linux kernel upgrades, TSR emulation, or whatever application we select.

The remediation process goes through several steps. First, it checks if the data center is disabled or not. Next, it checks if VBMS is on a maintenance page or if particular servers are in maintenance mode. Then it triggers the update. The fourth step maintains the process and sends an email. The fifth step sends an email to our team once patching is complete. The sixth step enables the data center, and the seventh step closes the change in a particular portal. Since it goes through all these steps, we just maintain whether each step is executing properly or not. We see if the particular server is in maintenance page on the backend. Once everything looks good, we acknowledge it and send it to patching.

We have one dashboard called VBMS, Vulnerability Management tool, which shows particular ATC. Suppose an application has one secondary contact. Under that contact, there are multiple applications. We have a call every week, like a security call. We join that and see what findings are there. For example, with a JDK upgrade finding with a 20-day Risk Reduction Target, we have a sign-off on which version we need to deploy for the upgrade. We send an email to the development team and the security team. They verify whether that particular version is available in the portal or in the satellite. Once they give us a green flag, we schedule the changes along with all the patch plans.

Another team checks findings using a Risk Reduction Recommendation Report approach in Qualys, checking with their respective teams to determine which findings are causing security issues. We do the work on the backend while they check on the front end. Last week, we had an issue where they sent a package that was available in the satellite but had not been tested. When we deployed it, we caused an application error and the clients were impacted, resulting in a war call. We halted everything and sat on that one patch group for two days where it was causing an impact. The other team and our team worked together and determined that the current version was different compared to what was in the satellite. Once they checked it, they provided the correct version, and we completed everything in 32 to 33 hours.

Every organization should have security vulnerabilities systems. Our company has a ton of servers, and a single person cannot handle everything. Since we onboarded into Qualys Patch Management's ZSM portal with automation, everyone can go and schedule work and trigger it and forget it. Once it is done, we start validating the application. This has been quite good. A few years back, we were using it manually and it was taking time. Suppose we had 60 servers. If we were going to do it manually before automation, it should take one and a half days. Each server needed to be taken out of rotation and manually updated, which took a huge amount of time. Since we onboarded it, it has been very helpful for us to get remediation done in time.

Now it takes one day. Since we get approvals in half a day, we can schedule the changes that week. Since we have data centers A, B, C, and D there, and we have 1,800 servers, we cannot do it in a single day. That is why we have planned it around one week, with the last three days dedicated to completion.

I would give this a four rating out of five. There should be some more improvements, but from what I see in the dashboards on our team and since it is available in our company itself, things are going well right now. We are dealing with a lot of servers, and it is going well since we have onboarded. The servers are going very fast, and if it fails, we check it immediately. It does not take that much time.

The solution guide on the dashboard should show the solution very clearly. There should be some differences when comparing to other companies, but in our company's dashboard, if we have any findings on any server, it will pop up in an immediate section as a very important state. It will be halted and point us to start remediating it. Since we do not have that solution criteria, we end up calling multiple teams and asking them what version needs to be deployed. We do that every time. If they provided such a solution guide, it would be very helpful for us.

The first thing is the solution guide, and it has to be very clear. For this package, it needs to show what the correct version that needs to be deployed is. It has to pop up correctly. I feel that whatever the availability is, it has to be an advanced one. That should be very helpful for each individual to help and progress on the security things.

I have been working on security remediations for Qualys Patch Management and TSRs for four to five and a half years.

The solution guide on the dashboard should show the solution very clearly. There should be some differences when comparing to other companies, but in our company's dashboard, if we have any findings on any server, it will pop up in an immediate section as a very important state. It will be halted and point us to start remediating it. Since we do not have that solution criteria, we end up calling multiple teams and asking them what version needs to be deployed. We do that every time. If they provided such a solution guide, it would be very helpful for us.

Positive

The first thing is the solution guide, and it has to be very clear. For this package, what the correct version that needs to be deployed is has to be shown. It has to pop up correctly. I feel that whatever the availability is, it has to be an advanced one. That should be very helpful for each individual to help and progress on the security things.

Now it takes one day. Since approvals are received in half a day, we can schedule the changes that week. Since we have data centers A, B, C, and D there, and we have 1,800 servers, we cannot do it in a single day. That is why we have planned it around one week, with the last three days dedicated to completion.

Previously when I joined, they were using something, but after that, there was another team that was going to verify. I am not sure what deployment job they are using.

I would rate this product a nine overall.

Qualys Patch Management serves as both a vulnerability identification tool and a patching tool in our organization. We initially used it for vulnerability identification, and then expanded to using it as a patching tool itself based on the vulnerabilities it identifies. We started using the identified vulnerabilities and began patching at the server level. Currently, we do not work at the asset level with end-user components, although I do have ideas about that. The majority of the time, we patch our servers on the server side only. Once we identify vulnerabilities found under Qualys Patch Management vulnerability management, we schedule the patches for the respective servers based on various criteria. The majority of the systems we work on are Windows, with Linux as a secondary focus. We schedule jobs based on the operating system and the relevant third-party applications, and we do have a standard operating process that we follow.

For non-production services, we prioritize them first, and whatever testing is done is typically on non-production first. After non-production testing, if we see any issues, we work on understanding the root cause of those failures, whether it is from the tool side or server-side issues. Then we move to the pre-production level for further testing. After successful testing in pre-production, we move to production servers by scheduling patch jobs, delineating three waves. We normally test in upper-level management first before moving to production servers.

The best feature of Qualys Patch Management, from my perspective, is automation because we do not have to select patches manually. In manual patching scenarios, such as if we do not use Qualys Patch Management and try to patch through other tools, we typically amend the patches at the script level. With Qualys Patch Management, we can use a script to automatically select patches, and automation of patch selection is indeed a highlight. Moreover, we have options for pre-checks and post-checks; we can use scripting for all operating system types. For Windows, we usually employ self-scripting, and for Linux, we use Ansible scripts. Leveraging these scripts within Qualys Patch Management makes it stand out when compared with other patching tools.

The risk-based approach of Qualys Patch Management is effective for creating automation to address risks. This is because the vulnerability management aspect has been working in tandem, allowing risk to be identified and categorized according to severity and CVSS scores. It does not allow for patching every vulnerability; generally, one patch can address multiple vulnerabilities, particularly cumulative updates or service level patches. Qualys Patch Management prioritizes addressing the most significant risks presented through identified vulnerabilities.

The integration with the VMDR product is important to me as it automates the inclusion of all relevant patches and configuration changes needed to remediate vulnerabilities. Post-integration, Qualys Patch Management as a service has evolved. After the VMware integration, Qualys Patch Management service saw advancements in vulnerability detection and prioritization based on exploitability and threat levels. This has enabled organizations to remediate vulnerabilities more effectively. Earlier, identifying vulnerabilities and reporting took longer, but now we automate processes, informing server owners of identified vulnerabilities. Continuous automation within the Qualys Patch Management ecosystem requires the installation of the Qualys Cloud Agent for effective operation.

Qualys Patch Management has room for improvement regarding certain blockages and error reporting; if a patch fails, it often lacks accurate detail on why the failure occurred, necessitating manual investigation to troubleshoot errors. I would appreciate improvements in the accuracy of patch failure information from Qualys Patch Management. Users tend to encounter confusion over why a patch failed—it could be due to the tool itself, server issues, or network problems. The details provided should explain failures clearly; if we only see that patches failed without comprehensive information regarding error codes, it complicates troubleshooting.

Another feature request is to automate patch selection for a larger number of servers, as it currently only allows bulk selection via CSV files where case sensitivity can cause issues. We do use the Qualys Patch Management risk reduction recommendation report; however, we do not fully rely on it due to needed advancements. The ability to create widgets according to our specific requirements is a benefit, but the process of creating these widgets needs improvement to avoid duplication of data and showcase the actual data we have worked on to management effectively.

We do use ServiceNow as our CMDB for ticket management, and this integration raises significant concerns regarding synchronization, as it is vital that up-to-date information reflects within Qualys Patch Management. We have encountered issues with bidirectional synchronization between Qualys Patch Management and ServiceNow; when we engage with Qualys Patch Management support, they often cite tool bugs affecting synchronization, indicating that improvements in integration and subsequent responses to arising issues are necessary.

I have been using Qualys Patch Management for five years in the same profile, and I do have a total of twelve years of experience, with relevant experience in Qualys Patch Management somewhere around five to six years.

I have not encountered reliability issues or significant limitations regarding the scalability of Qualys Patch Management. The cloud-based architecture facilitates scalability, allowing us to manage thousands of assets effortlessly, though user experience can be complex compared to more modern tools.

On a scale of one to ten, I would rate the tech support of Qualys Patch Management at five; it is average with a mix of above and below average experiences. Once a support case is raised, we expect an estimated time of resolution, which has been lacking and requires improvement, particularly in urgency perception when categorizing priorities.

The setup for Qualys Patch Management has been straightforward for Windows systems, while Linux presents more challenges, as deploying and patching Linux assets is often more intricate. Our experience is positive for Windows, but Linux requires further optimization for it to serve as a primary tool.

Qualys Patch Management has helped us reduce our organization's risk profile significantly. Previously, we faced various service-level attacks with a true risk value of five hundred and fifteen, which we have successfully lowered to two hundred and thirty after implementing Qualys Patch Management. The platform has improved our ability to remediate vulnerabilities within a timely manner. Using Qualys Patch Management has indeed improved our patch rates. In the past, it took us seven to ten days to close critical patches, but now we manage to address them within forty-eight hours, while high-priority SLAs can often be resolved within seven days.

The experience with pricing, setup costs, and licensing for Qualys Patch Management has been straightforward without any complex difficulties. Support from Qualys Patch Management around licensing issues has been helpful, though challenges arise if the Qualys Patch Management agent is redeployed, necessitating us to re-enable licenses within the Patch Management module, a detail that needs more prominent highlighting in technical documentation.

Our decision to go with Qualys Patch Management over other patch management solutions stemmed from its solid track record of efficiently identifying vulnerabilities, especially compared to other tools I have used in previous roles. While there are other competitors, we find Qualys Patch Management effective in prioritizing vulnerabilities, and we have been able to rely on it without changing for quite some time, indicating its reliability compared to other products such as Tenable and Nessus.

The TruRisk automation is advantageous as it helps remediate vulnerabilities without needing to involve the security team. TruRisk combines CVSS, threat intelligence, and asset context, giving scores ranging from zero to a thousand. Based on this prioritization, the actual risk level can vary; for example, if a vulnerability scores a hundred, it indicates urgent remediation is necessary. This TruRisk automation highlights the need for verification alongside deployment, defining risk thresholds based on true risk levels to optimize patch jobs. Qualys Patch Management indeed provides a single source of truth for assessing, prioritizing, and remediating assets and vulnerabilities. This is exactly why we utilize it as our patching tool. However, it is crucial to acknowledge that no tool achieves full perfection; there are always pros and cons involved. I rate this product an eight out of ten overall.

Our clients vary greatly because we support many other technologies, such as Microsoft 365. Our clients can range from fewer than 100 to up to 2,000 or 3,000 devices.

The automated patch management in Qualys Patch Management is one of the best features because there is very little intervention required for us to achieve what we are trying to accomplish. The fact that we can manage thousands of endpoints is a very significant advantage for us because, given the nature of our business, by the time we reach a client, they already have numerous devices. We can easily identify over a thousand assets in a single operation.

We connect VMDR with Qualys Patch Management to identify assets and determine which patches need deployment. We run VMDR first, and once we identify all assets, we identify the patches to be deployed, at which point Qualys Patch Management completes the rest.

The integration and automation between VMDR and Qualys Patch Management is very important for us because when managing thousands of devices, the number of people needed depends on how effectively the integration functions. If the integration works well, we find that the workload is reduced by almost 70%. If it does not work properly, manual intervention becomes necessary, which typically requires a large number of people.

Qualys Patch Management provides me with a single source of truth for assets and vulnerabilities because we usually do not have another option. When we recommend Qualys Patch Management to a client, it is because we know it will be the single source of truth and must work for all required scenarios.

The biggest work with Qualys is the initial configuration. Once the initial configuration is complete, the work required for maintenance is not substantial and can be done with minimal effort. However, the initial work is quite significant to get everything functioning properly.

Qualys Patch Management is one of the best solutions because the patch success rate is very high. It always reduces the remediation time significantly and works very fast in this sector. It is also excellent at third-party patching and performs better than most in this area.

The interface could benefit from improved user experience and quality of life improvements. The dashboard could be more intuitive, as this is a common concern for applications with extensive point-and-click functionality. It is also complicated to understand the licensing and costing, as we constantly try to find ways to reduce costs, especially when implementing the solution for new clients. We would appreciate broader driver and app support to cover all systems we encounter at client sites. The rollback feature, where you test patching in a staging environment and perform a rollback if it does not work, has been complicated for us to implement and understand.

Various deployments are possible, with deployment typically on cloud platforms. In our case, Azure is utilized, indicating a Microsoft-based cloud environment.

I would rate the stability at eight or nine out of ten. We have not experienced issues with Qualys Patch Management, although it can be slow at times.

Scalability depends greatly on the environment. I would give scalability a rating of eight out of ten, especially for large environments where the higher number of users, the better the value obtained.

I would rate vendor technical support at six out of ten. We usually have to research and resolve many issues using the knowledge base. When we have an urgent issue, we prefer having someone knowledgeable to point us in the right direction quickly. However, this typically involves first locating the information in the knowledge base.

Positive

The Risk Reduction Recommendation Report helps me identify vulnerabilities that reduce the most risk within our organization because patching is an ongoing process with patches that constantly need to be deployed. We want to start with the ones that pose the highest risk, and that is where this report becomes invaluable. It allows us to prioritize which patches to address first that represent the lowest hanging fruit but will provide the most impact.

Deployment typically takes a few weeks, as we are also deploying other solutions. The timeframe depends on how much remediation needs to be done and how urgent that is. If we start deployment on a patch and then realize something urgent, we allocate a larger team to address that issue, which might pause deployment to other devices.

The solution is deployed on Azure, which is typically Microsoft-based.

The Risk Reduction Recommendation Report is very useful, especially when we are executing recurring patch jobs. Patching is a very repetitive process, and sometimes we need to perform the same tasks multiple times. Sometimes we need to roll back changes, and this report allows us to create a proper project management plan for how we will implement the patching process.

For assessing risk, we usually use Qualys Total Cloud mostly because of the risk scoring as opposed to Qualys Patch Management by itself. Because we typically use all three Qualys solutions, the bulk of the work for this occurs within Qualys Total Cloud.

Qualys reduces risk for us and our clients by upwards of 50% when we arrive at a client site with no previous software installed. If they have other software they were using and then transition to Qualys, the reduction would be approximately 30% or 25% if they had another application previously.

I use Qualys's integration with CMDB or ITSM tools for ticket management, specifically with ServiceNow.

The solution helps reduce the amount of ticket processing time because the proactive nature of the solution allows for proactive risk patching. Users do not need to report issues, so by the time they encounter a notification or problem, it has already been handled by Qualys Patch Management, which helps reduce ticket volume by about 30%. For us, this is the most important aspect because we are usually an outside service provider, and when we have too many unresolved tickets, it becomes an issue for us. Our priority is to maintain the lowest number of tickets, and this is how Qualys Patch Management contributes to our operations.

For most clients, deployment depends on their size. Usually, smaller teams deploy the solution locally, but as the number of devices increases, we push deployment toward the cloud. Deployment is typically in the cloud, especially for environments with 300 to 1,000 devices.

I would advise others that using Qualys Patch Management integrated with other Qualys solutions yields the best results. While Qualys Patch Management is a good tool by itself, integration with other solutions significantly enhances its value. Organizations should also anticipate substantial effort in setup and deployment, especially with agent deployment. My overall rating for this solution is 8.5 out of 10.

I was using Qualys Patch Management, but due to license constraints, I am currently not using Patch Management and have switched to a different third-party tool for patch management. However, I have experience with Qualys Patch Management.

Qualys Patch Management comes within the VMDR module itself, so vulnerability identification and remediation are available from the same console. I can remediate vulnerabilities using the same console, which allows the security and infrastructure teams to work together without depending on multiple tools. The tool shows the patch, and I can remediate or patch the vulnerabilities directly from it. It is particularly useful for Windows patching because of the patch deployment capabilities, allowing me to track the patch job and manage reboots straightforwardly.

Qualys Patch Management is based on modules, with each module integrated into the same console. This provides good visibility into missing patches, which helps reduce manual effort. Based on this visibility, I can prioritize critical vulnerabilities and take immediate action on whether patches are available for particular vulnerabilities. It is useful for remote endpoints because of the Qualys agent, which can communicate with systems outside the corporate network. If a patch is available for a particular vulnerability, I can patch the vulnerability from the console itself.

When using Qualys Patch Management with TruRisk, it prioritizes vulnerabilities based on several factors, including whether systems are external facing, combining severity and exploitable availability. I can prioritize exploitable vulnerabilities and patch those accordingly. For example, if a critical CVE has a higher score and the server is internal facing in production, I take action based on these TruRisk considerations. When a system has 100 vulnerabilities, I can focus on high criticality in the production environment.

Qualys Patch Management is based on modules, with each module integrated into the same console. I have good visibility into missing patches, which reduces manual effort. Based on this visibility, I can prioritize critical vulnerabilities and take immediate action on whether patches are available. It is useful for remote endpoints because of the Qualys agent, which can communicate with systems outside the corporate network.

When using Qualys Patch Management with TruRisk, it prioritizes vulnerabilities based on several factors, including whether systems are external facing, combining severity and exploitable availability. I can prioritize exploitable vulnerabilities and patch those accordingly. For example, if a critical CVE has a higher score and the server is internal facing in production, I take action based on these TruRisk considerations. Overall, it provides a comprehensive view and helps me focus on high criticality in the production environment.

Compared to the cost involved, the time spent on patching risks has reduced significantly when using Qualys Patch Management. Instead of patching 5,000 vulnerabilities, my team focuses on 300 to 500 vulnerabilities, which is similar to using third-party patch management that directly connects with Qualys. Qualys Patch Management integrates directly with vulnerability findings, asset criticality, and compliance reporting. This makes it easier for my team to prioritize patches based on actual risk rather than just missing updates.

Sometimes in Qualys Patch Management, patches fail due to agent communication issues with Qualys. This occurs primarily because of endpoint connectivity problems and agent communication issues that arise when a user shuts down their laptops during patch windows. Additionally, most of my servers run on Linux, which makes Linux patching slightly more complicated compared to Windows due to package dependencies and repository issues that can lead to potential failures.

I have experience with Qualys Patch Management spanning two to three years.

Qualys support is excellent, and I would rate it a nine because they are responsive when I raise a support ticket and they effectively troubleshoot the issues I report.

For scalability, I would rate it an eight. It provides a comprehensive view of vulnerabilities in Qualys and ensures that patch management does not miss any systems. I have not faced issues in this regard, so I would rate it eight to nine.

Qualys support is excellent, and I would rate it a nine because they are responsive when I raise a support ticket and they effectively troubleshoot the issues I report.

Before using Qualys Patch Management, I was using only Qualys VMDR and required manual patching from the server team or other teams. After implementing Patch Management, the vulnerability count has been reduced compared to the previous year or quarter, increasing remediation efforts by around 20%. Based on quarterly reviews, I have increased patching efforts by 25 plus, which helps significantly in my environment when using a patch management tool that includes Qualys in a single console.

By using Qualys TruRisk and Patch Management, I estimate a workload reduction of around 60% to 80% in terms of focusing on vulnerability quality. My patching has been reduced by 40% to 60% because the change management and maintenance window duration has decreased to around 30%.

As a price point, Qualys Patch Management is likely costlier compared to different third-party vendors.

When comparing Qualys Patch Management with third-party solutions, third-party patch management tools must be integrated, but with Qualys Patch Management, I can directly integrate it with VMDR to prioritize vulnerabilities based on the vulnerability list. Third-party patch management requires a direct connection with Qualys.

I definitely recommend Qualys VMDR to other users, especially if they are already using Qualys VMDR; they should also use Patch Management. It offers visibility into vulnerabilities, making it easier to perform patching. For larger organizations with different VMDR solutions and cloud vulnerabilities, integrating them into patch management systems can become difficult. Overall, I rate Qualys Patch Management an 8.5, and the review rating is 8.

I am a customer of this solution and use it internally in my company. Currently, I am working with the latest version of Qualys Patch Management, which is the 2025 version. We use Qualys Patch Management for all our clients as well as our complete environment, managing about 30,000 endpoints and about 12,000 servers for one of the hospitals. We scan every weekend and get the results in our dashboards, allowing us to create deployments for browsers daily, and we have specific dates for pushing patches on other servers. For endpoints, we push the patches every month for five days.

Agent Conflicts: Especially when coexisting with other endpoint tools (e.g., SCCM, BigFix).

Performance Overhead: On older systems, the agent can be resource-intensive.

Patch Coverage Gaps

Limited support for third-party applications or non-Windows OS in some environments.

Some patches may not be available in the Qualys catalog, requiring manual intervention.

Complex Configuration

Initial setup and policy tuning can be time-consuming.

Requires skilled personnel to manage tagging, job scheduling, and exception handling.

Integration Challenges

May not integrate seamlessly with all ticketing or CMDB systems without customization.

The most valuable features of Qualys Patch Management include the results we scan and what we find for all the third-party and security critical issues, along with the querying we use to filter the patches. We assess Patch Management's risk-based approach by prioritizing the patches, which is the key feature we use. For any critical patches, we patch immediately for all servers and endpoints. For non-vulnerable or non-critical patches, we have a very different patching strategy.

I use Qualys Patch Management integrated with Qualys VMDR, which is a cloud-based tool that provides complete modules. Whenever I purchase any module, it automatically integrates, but only customers of VMDR can integrate it. Without VMDR, Qualys Patch Management does not work. The integration between Qualys Patch Management and VMDR is crucial as it automatically includes all relevant patches and configuration changes required to remediate vulnerabilities detected by VMDR, playing a very important role in risk management and infrastructure security.

Qualys Patch Management helps remediate vulnerabilities with most tasks automated, except for patches requiring reboots. We have automated the non-critical updates and the planning for Microsoft patch releases is clear and organized. Qualys Patch Management provides a single source of truth for assessing, prioritizing, and remediating assets and vulnerabilities, with everything integrated in one dashboard, allowing us to easily manage our tasks and reduce costs.

Automated Patch Rollback:Ability to revert patches automatically if they cause issues post-deployment
Patch Approval Workflow:Built-in approval chains for patch deployment based on asset criticality or business unit
Offline Patch Deployment:Support for patching air-gapped or isolated systems without internet access.

Third-Party Application Coverage:Currently limited support for non-Microsoft and niche third-party applications.Expanding this would reduce reliance on manual patching or other tools.
Agent Performance Optimization:The Qualys Cloud Agent can be resource-intensive, especially on older or low-spec systems.Improvements in memory and CPU usage would enhance endpoint stability.

I have been working with Qualys Patch Management for about the past five years.

While I've recently seen many problems with stability and reliability in Qualys, it was initially stable; however, current issues include modules being offline for extended periods.

Qualys Patch Management is highly scalable, suitable for any size of enterprise, from small to large.

I communicate often with Qualys Patch Management's technical support, which has a dedicated team available 24/7, and I would rate their support a 10.

Positive

The main reason for switching from BigFix to Qualys was the need for integrated tools on a single platform, which prompted the decision to choose Qualys Patch Management. Adding Qualys Patch Management affected my infrastructure positively, as it replaced BigFix, allowing for better integration of patch management with our existing vulnerability management, resulting in improved report access and vulnerability fixing.

Qualys Patch Management has definitely reduced my organization's risk; we used to receive over 1.8 million vulnerabilities every month and most issues are fixed through patch management.

I have not been involved with pricing and licensing decisions for Qualys Patch Management since it was already purchased.

Before choosing Qualys, I did evaluate other options, but the opportunities and pricing offered by Qualys, especially with multiple licenses, made us decide to move directly from BigFix.

I do not use the solution's integrations with CMDB or ITSM tools for ticket management. Adding Qualys Patch Management affected my infrastructure positively, as it replaced BigFix, allowing for better integration of patch management with our existing vulnerability management, resulting in improved report access and vulnerability fixing. The integration with risk management like VMDR and other security solutions provides significant benefits for eliminating vulnerabilities and avoiding exploitation. The single source of truth provided by Qualys Patch Management has helped reduce costs by integrating multiple tools into a single platform, making it easier to analyze and user-friendly. On a scale of one to ten, I rate Qualys Patch Management an eight out of ten.

Qualys Patch Management includes cloud simplicity and a very straightforward interface, which is why it is preferable. Our client has a specific requirement that we use Qualys Patch Management because it may be recommended by the client. Other various technical specifications are involved, such as cloud-based patch management, which is easily accessed via its SaaS platform, and no on-prem patch servers are utilized, ensuring centralized control and access within hybrid cloud environments. Cloud Agent drives patch management with its very lightweight agent at endpoint servers, creating minimal load. Another use case is that it operates without VPN for outbound connectivity and provides real-time patch visibility.

I have deployed the solution across various environments, including cloud, on-premises, and hybrid models, utilizing different licenses across data centers. The primary cloud data centers in India operating on AWS or Azure support all types of environments without limitations.

As a third-party auditor, I particularly value the risk-based patch prioritization features in Qualys Patch Management, such as CVSS scores, exploitability, threat intelligence, and prioritizing cases based on criticality, severities, and exploits.

During the scan, it is based on the CVSS score, which categorizes severity scores as critical, high, medium, and low initial risk indicators. Then we check for exploitation intelligence, where Qualys Patch Management automatically informs us of known exploits, active exploitations, and weaponized vulnerabilities. A high CVSS score indicates that this needs to be closed as per SLA within customer requirements. The next step is understanding malware threat contexts, which includes malware associations, ransomware links, and APT relevancies during the asset criticality phase. In this phase, we identify production requirements, citizen-centric services, dependencies on data centers, and payment services, allowing us to tag the asset accordingly. Then we perform exposure and reachability checks due to potential connections that may rely externally. Qualys Patch Management functions in all types of environments, including cloud environments, making it the best approach for faster recommendations on real-time threats. It also reduces operational times and provides clarity on SLAs and auditor requirements.

TruRisk Automation is a component of VMDR or patch management that contributes to continuous detection. Automatically prioritizing vulnerabilities based on CVSS scores and known exploits enables automated remediation mapping and patch management as well, followed by post-patch validation. The key benefits for customers revolve around faster remediation of exploit threats, reduced manual effort, and lowered MTTR while ensuring adherence to SLAs and maintaining a full audit trail. TruRisk assessment relies on automation, correlation, and exploit intelligence, all integral features within VMDR and TruRisk remediation.

Qualys Patch Management provides a single source of truth for assets and vulnerabilities that require assessment, prioritization, and remediation. In cybersecurity contexts, this means that during an attack's initial phase, it can easily identify vulnerable assets in a production environment. It helps with asset inventory, prioritization, and prediction as well as risk views. I can visualize everything on a unified dashboard like TruRisk, allowing for a clear overview of severities and exploitability. During patch status reporting or compliance checks, I identify missing patches easily, and deployment can occur for those gaps to ensure adherence to one hundred percent compliance according to assessed risks. In reporting, I have customizable SLAs and aging details based on required patch timelines, highlighting the platform's usability for both government entities and private sectors.

There is a single loophole within patch rates related to zero-day vulnerabilities, which present notable challenges in cybersecurity that Qualys Patch Management needs to improve on, as they sometimes require extensive time to mitigate.

Everything functions well, although in today's era, I suggest enhancements such as integrating natural processing models and queries within the product. Including artificial intelligence features would allow for rapid market capture, particularly within government areas where users may not be technologically advanced. Utilizing natural language processing queries would streamline report generation.

On the rating scale against other patch solutions, I assign Qualys Patch Management a score of nine, considering only a slight deduction for the slow response time towards zero-day vulnerabilities.

Overall, I give the solution a rating of nine out of ten for its various components and perspectives, the only deduction being for the management of zero-day vulnerabilities, which still require improvement. Although they are being addressed, it does take time due to the reliance on globally sourced threat intelligence, which is contingent upon their efficacy and the broader industry landscape.

I have been using Qualys Patch Management since two thousand twelve when it initially started with vulnerability management and patch management, and it works on compliance management, so I have worked with Qualys Patch Management for at least approximately ten years.

For stability, I would rate it nine due to heavy computations influencing processing speed; it works efficiently within data centers, but in less capable environments, report generation may lag at times, although it ultimately functions properly.

The scalability is impressive since it auto-scales in real-time whenever peak thresholds are crossed, receiving a score of ten out of ten.

Having worked for ten to fifteen years in cybersecurity and various CERTs, I find that if you receive a product that offers superior output at competitive market rates, I grant all of Qualys' products perfect marks, not just this one. They are readily available on the market, supported by helpful resellers, and prompt customer assistance effectively addresses concerns within specified timelines, all of which elevate my satisfaction.

Positive

I have tested Nessus Tenable, regarded as one of the most powerful tools available compared to Qualys Patch Management; all other tools trail behind in capability.

The pricing of Qualys Patch Management is comparatively cheap; hence my high rating, as Tenable and other offerings present significantly higher licensing costs, often three to four times as much. Furthermore, a remarkable advantage of Qualys Patch Management is the absence of asset limitations; once a license is purchased, unlimited assets can be added. For example, if you secure licenses for three hundred assets, you are unrestricted in adding or modifying this within the interface.

In my relationship with Qualys Patch Management, I am working as a third-party auditor in EY, KPMG, and Deloitte.

I work as a third-party auditor consultant; we audit compliances as well as security audits performed on various products as per client-specific requirements.

The process of generating tickets has become much more efficient, especially for requests from roles like secretaries, IAS officers, or personnel in the government sector, which often demands quick reporting. This tool allows for the quick generation of reports after applying necessary filters. For instance, retrieving details on outdated assets or projects can happen swiftly as long as the patch management software and CMDB are current. However, I emphasize the importance of using genuine licensed products rather than attempting to use pirated versions.

Qualys Patch Management has significantly reduced overall risk in my organization, which I would quantify highly on a scale of one to ten.

Patch Management plays a role in risk reduction by directly addressing vulnerabilities; for instance, it showcases CVSS scores distinguishing which vulnerabilities are patched. Patch management applies updates promptly once vulnerabilities are identified, thus eliminating associated risks. Using the example of an iPhone, if the current version denotes a problem, it highlights the necessity for updates which are crucial for mitigating risks. Overall, Qualys Patch Management enables customers to receive comprehensive recommendations, streamlining what typically requires third-party auditing.

I utilize the risk reduction recommendation report in patch management; it indicates measurable security exposures. For example, if a high-risk exploitative vulnerability is detected, it prioritizes mitigation based on severity scores, facilitating quicker patch management actions. Post-verification allows for real-time updates on vulnerability statuses, reducing the need for subsequent audits or patch verifications. It shows near real-time metrics focusing on critical vulnerabilities before or after management takes place, alongside findable data on MTTR and patch compliance. Qualys VMDR and Patch Management support continuous verification, enabling measurable reduction in critical exposure, aiding prioritization efforts for true risk vulnerabilities.

Within our data centers, we integrate the solution with CMDB or ITSM tools for ticket management, utilizing asset tagging within CMDB. Asset tagging includes various factors like host names, IP addresses, operating systems, and environmental data concerning production or non-production scenarios. For any necessary patch management changes requiring workflow alignment, we can trace everything effectively under the CMDB.

From an audit perspective, the time savings depend on the tools used; for instance, using Qualys Patch Management compared to alternative tools saves considerable time on report creation and other lengthy processes. Patch management can take around twenty to seventy-two hours based on a CVSS score over nine for zero-day vulnerabilities, about seven days for high risks with scores of seven to eight point nine, and for low risks, patch management ranges from thirty to sixty days due to lower impact and lack of urgency from clients regarding low vulnerabilities.

I do use Patch Management with VMDR, so Qualys Patch Management is integrated with VMDR.

If we separate tool functionalities, one tool dedicated to patch management and another for vulnerability management can complicate things. But if we connect through APIs, maintaining a single platform saves a significant amount of time. A tool that handles assessment, reports, and remediation using a unified platform is beneficial for system integrators, clients, and engineers alike. Additionally, as a system integrator, I find that continuous vulnerability detection is effective through cloud agents and network scans, which also aids in ongoing monitoring.

Qualys Patch Management is utilized by approximately three hundred to five hundred individuals within government organizations. In the private sector, particularly among larger firms like the Big Four, this number can extend to around five to six thousand users.

The solution generally requires only licensing costs for maintenance. If you possess a valid license, you gain access to updates. Customer support is an add-on, so basic assistance comprises part of the license agreement.

I give the technical support a rating of ten out of ten.

I have already endorsed Qualys Patch Management to several public sector undertakings and private banks, as well as organizations associated with government certifications where the product is recognized on the whitelisted tools list for state data centers and SWANs in India. I have given this solution an overall rating of nine out of ten.

My use cases for Qualys Patch Management involve checking the vulnerabilities, seeing what patches come out for Patch Tuesdays. I check different threat sites for any vulnerabilities related to anything that we have on our software stack and then see if those vulnerabilities affect our systems. If they do, I get them on a patch schedule.

The integration between Qualys Patch Management and VMDR is 100% important because VMDR is good for showing you the vulnerabilities and Qualys Patch Management is a valuable tool for remediating those vulnerabilities. Qualys Patch Management is good, especially with the TrueRisk system, as instead of just taking one aspect such as a CVSS score, it combines a variety of different factors into a TrueRisk score which lets you know exactly how vulnerable it is or not, regardless of the CVSS, and it'll help you prioritize which vulnerabilities to address first.

Qualys Patch Management gives me a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated. Qualys Patch Management has affected my security and IT teams positively; it makes it a lot easier to deal with everything. I have automated a lot of the patching jobs, so it alleviates the IT teams from having to deal with them unless they're on certain systems that haven't been online or if they don't have their systems added to a patch list for some reason or another.

One downside of Qualys Patch Management is that I would love to see them speed up the process of verifying patches and then rolling them out. I know for zero-days, it takes them 24 hours to screen a patch before they make it available for patching on systems. If they could speed that up to remediate the vulnerability faster, that would be great.

I have been using Qualys Patch Management in my career for just over a year.

Qualys Patch Management does not require any maintenance on my end at all.

Regarding stability, I experience issues whenever the overall system goes down, but there hasn't been a time where Qualys Patch Management has gone down outside of Qualys itself.

The scalability of Qualys Patch Management is good; I have no problem getting it on anything, and it pretty much takes care of my whole environment.

The technical support for Qualys Patch Management is good; however, I have never contacted them regarding this one because there have been no real issues for the patching.

Neutral

I have used ManageEngine as something similar.

The deployment for Qualys Patch Management is easy. It took me approximately two minutes to set the job up once I did it. If I do it on demand, it usually takes maybe half an hour to complete everything.

I deployed Qualys Patch Management myself, alone, just as with the CSAM that we reviewed previously.

I saw the benefits of Qualys Patch Management immediately after I installed it and set up various patch jobs for different categories. As soon as those jobs run, it shows you what patched, what's waiting, if anything failed, and why it failed. It's definitely a very intuitive tool.

The pricing for Qualys Patch Management is worth it. You definitely want to be able to address your vulnerability issues in any way possible, and patching definitely makes it easy because at least over half of the vulnerabilities usually come with a patch.

Both Qualys Patch Management and ManageEngine are pretty good; however, Qualys gives you more insight into the patch itself and the remediation of the vulnerability and how it remediates it, while ManageEngine simply states 'Here's a patch for this. Go ahead and put it out on the machine.' Qualys will actually give you more information behind the patch and the reason for it.

I use Qualys Patch Management with VMDR. On a scale from one to 10, I would rate Qualys Patch Management a nine overall.

The purpose of using Qualys Patch Management in my organization is to ensure that our systems are always up to date and to protect against vulnerabilities from attackers. Before we started using the patch management module, we were using the vulnerability management module, and we noted that we have a lot of CVEs that keep changing for some of the platforms that we are using. It was normally difficult for us to know and tell that a new patch had been deployed that addresses a certain CVE that had been discovered as a vulnerability, whether minor or major. We then decided to implement this particular module so that whatever we do, we know it will push all patches onto the servers and into the applications that we are using, such as PHP, Apache, or Nginx. Looking also at the agentic vulnerabilities and threats coming with agentic models or LLMs, Qualys Patch Management became ideal because we wanted an automated environment.

What I love most about Qualys Patch Management is that whenever a new patch comes through, the signatures are validated and the certificates that are coming in are valid and verified. Additionally, I am not left behind because this module automatically checks and verifies, which keeps me appraised of whatever happens, so I come in the morning with alerts and know the status of my services and applications within each server or engine under automation.

The importance of Qualys Patch Management's integration that automatically includes relevant patches and configurations required for vulnerabilities detected by VMDR is that I know my systems are safe and am reducing the surface where attackers or vulnerabilities can be exploited. When discussing script kiddies, they utilize discovered CVEs, and the moment I wait, I cannot know how much damage that can cause to the institution. With ransomware, if my Nginx or Apache version has a vulnerability, it will be easy for those actors to do whatever they want within a minute if I am too late in updating those CVEs. The importance of having this automated is as critical as keeping all systems secure, as we cannot do that in real time on our own. There are times when I am away from the office, so I have peace of mind that my systems are safe because they are in an automated environment.

In my opinion, there are areas within Qualys Patch Management that have room for improvement, such as cloud instance functionality. If mobile alerts could come through other social media platforms like WhatsApp or Telegram, it would facilitate monitoring even when my team is away. Here in Africa, we have social media bundles, and often I find that data only works for WhatsApp, making that the most viable option for alerts.

I started using Qualys Patch Management for patch management from 2020, so my experience spans a few years.

I rate the stability of Qualys Patch Management as very stable; I have never had any issues, neither from the team I work with nor from the organization. From one to ten, I rate the stability of Qualys Patch Management as a ten because I have never had an issue.

Qualys Patch Management is scalable. We had to virtualize our servers, and adding new ones to the platform was easy without any issue.

From one to ten, I rate Qualys Patch Management's technical support as a ten because I am happy with it.

Positive

Unfortunately, I have not used other vendors, so I cannot compare. The orientation I got on Qualys was perfect from the beginning, and I did not have the opportunity to check other solutions.

The deployment was very easy and was a smooth experience. It took within a day to deploy Qualys Patch Management.

The IT team utilizing Qualys Patch Management consists of six people, and I also include one person from the library, so I can say seven.

My thoughts on the risk-based approach for creating automations to prevent or address risks are as follows: we live at a time when risk exists, and when looking at automated patch management and administration, I am looking at issues of logging and real-time information from the vendor as well as from my organization. We do not take an approach where one instance or one product serves or covers all. We augment patch management together with the vulnerability management tool, and these work together. Whenever a new change is identified or a threat is identified, I am sure that my systems are then safe. Though sometimes people fear automation, we make sure that everything is up to date and verify what comes through.

Regarding the TruRisk automation, it helps me remediate vulnerabilities without needing to involve my security team, but systems can give false positives at times. Though I would not say I am 100% safe, the chances of risk hitting my services or platforms are low. There is still a human element to account for instances where there might be a false positive alarm that needs oversight. Personally, I believe that with automation and the quality of Qualys, which has been tested, it is the best.

Qualys Patch Management gives me a single source of truth, providing insight into my assets and the vulnerabilities that need to be prioritized and remediated. The patch management allows me to know what is coming and helps me identify and be aware of changes happening on the platforms. It answers to the call that vulnerability management gives, and since vulnerability management and cloud platforms are always online, it is easier to ensure that at whatever time there is a change, I am at least shoulder high or above what the normal person or computer user would use.

I do use the risk reduction recommendation report from Qualys, and we look at it as an advisory for my IT team. We take those reports to what we call the university ICT committee. When we look at those items, we bring them as reports and recommendations. Technology changes every day, and those reports help us know where to invest and what to add within the DMZ and servers. Should there be any changes, I am appraised. It is easier for the IT department, when going to the ICT committee, to table something that is valid and legitimate.

In terms of how much Qualys Patch Management has reduced my organization's risk, I can put it at 80% if I exclude the human element, which is the highest risk I have always seen around because of insider threats.

I have seen an improvement in my patch rates by 95%. This is because we utilize platforms that come from a pool of vendors that deploy patches instantly whenever a vulnerability is identified, although some of our legacy systems which are internally built may not get that instant patch.

I think the pricing of Qualys Patch Management is affordable for me because if it were beyond my reach, my accountant would have suggested going with open source solutions.

The solution was purchased through a partner. We belong to a consortium of entities under one company, and most of the organization utilizes it, with procurement handled centrally while I request any needed modules.

The solution requires renewals, but updates happen in sync. I just get an alert about new updates, and then it is automated to post onto the instance from the cloud.

I would recommend Qualys Patch Management 100% because it works for me, it is a necessity for IT SOC teams, and it is easy to deploy and understand. I rate this review at a nine out of ten.