We use Trend Micro ServerProtect for virtual patching. It also provides full security that is specific to the service, e.g. it is able to handle the VMs (virtual machines) way better.
What I find most valuable in Trend Micro ServerProtect is virtualization. It installs on the virtualization node instead of installing on all of the guests, and this means communication between the VMs on a specific host is also covered.
You don't need an agent for each of the VMs, e.g. you don't need to install it on each virtual node, because you can just install it on the host, and that is brilliant. Trend Micro ServerProtect protects all guests on the VMs, and it also protects against internal communication between the VMs.