Qualys Patch Management Reviews

We primarily use Qualys Patch Management for our endpoint machines. This solution automatically pushes patches to all machines, regardless of whether they are connected to the network, and allows them to update and reboot automatically.

The risk-based approach to automation in Qualys Patch Management helps us meet our strict SLA timelines by prioritizing critical vulnerabilities. Most vulnerabilities can be patched directly through Qualys, although some require additional external component upgrades. While we generally address critical vulnerabilities within the SLA timeframe, occasional delays necessitate quarantining affected systems from the network to mitigate risk. This automated process significantly reduces our overall security risk.

We had a large number of assets, making it challenging to push patches to all machines, especially those off the network. Qualys Patch Management allowed us to install agents on all endpoints, enabling automatic patching over the internet, regardless of network connection. Upon reconnecting to the Infosys network, any missed patches are applied, and the machine is automatically rebooted. This eliminates downtime for endpoints, except servers, and ensures timely vulnerability remediation, significantly reducing complaints and associated risks. We saw the benefits of Qualys Patch Management within a month.

Patch Management's integration capabilities are highly valuable, enabling precise targeting and prioritization of vulnerabilities. Automated features streamline patch deployment and ensure compliance, effectively mitigating risks and bolstering organizational security.

Qualys Patch Management serves as a single source of truth for identifying and addressing vulnerabilities in our assets. We utilize this tool extensively for various purposes, including VMDR, CSAM, and our own internal compliance efforts. Additionally, we are anticipating the release of Total AI and plan to integrate it into our workflow once available.

Before implementing Qualys, we lacked a comprehensive inventory view and relied on the support team to manage most machines. With Qualys Patch Management, we established a single source of truth for asset payment requests, providing clarity on server and endpoint counts. This allowed us to accurately assess vulnerabilities through scans and create dashboards for each device. By leveraging this data, we successfully eliminated one million unnecessary fees within six months.

Qualys Patch Management significantly improved our patch rates by 80 percent, scanning for vulnerabilities every four hours via the Qualys agent. Once identified, patches are automatically deployed and await system reboot, with an option to skip the reboot twice. This process effectively addresses most vulnerabilities identified in our call list. However, some vulnerabilities may require additional features or intervention from the project team, potentially involving coaching or further action, which can lead to delays. Despite these exceptions, Qualys Patch Management successfully deploys all required patches.

Our IT support team uses Qualys Patch Management with a configuration management database. Qualys Patch Management has significantly reduced our vulnerability count by enabling faster ticket resolution. This efficiency has allowed us to address vulnerabilities across thousands of machines, drastically reducing the number of vulnerabilities from millions to a manageable level.

Qualys Patch Management has helped reduce our organization's risk by 80 percent.

Qualys Patch Management's pricing could be more competitive, as it presents a significant obstacle for many companies who find it unaffordable.

Qualys Patch Management would benefit from enhanced integration to address its current limitations in patching new features.

I have been part of the team using Qualys Patch Management for one and a half years.

I would rate the stability of Qualys Patch Management nine out of ten.

I would rate the scalability of Qualys Patch Management nine out of ten.

The technical support received from Qualys is excellent. We have a dedicated person to resolve any issues quickly.

Positive

The initial deployment was straightforward and was completed in two to three months. 

The implementation of Qualys Patch Management has resulted in an eighty percent reduction in vulnerabilities across the organization, which suggests a significant positive ROI.

Qualys Patch Management is expensive.

I would rate Qualys Patch Management nine out of ten.

Our security team is divided into two groups. The IT support team uses Qualys Patch Management to handle automated patching and maintenance. My team addresses issues that cannot be fixed automatically. We handle vulnerabilities that have been pending for a long time, escalating them and seeking remediation. If these issues remain unresolved, we quarantine the affected vulnerabilities.

We have 300 people from my team using Qualys Patch Management.

Maintenance from our end is minimal as we get comprehensive support from the Qualys team. They provide all necessary support, enabling us to effectively manage the solution.

I would recommend Qualys Patch Management, especially considering its integration capabilities and the support it provides in managing and automating patching processes, substantially reducing vulnerabilities and risks.

We are using the Qualys Patch Management and VMDR solution at a client location.

We primarily use Qualys Patch Management for the company's infrastructure. We utilize the core Patch Management module to remediate and manage patches. We mainly use it to address zero-day vulnerabilities and swiftly deploy patches across a large number of devices.

Whenever Microsoft releases any zero-day vulnerabilities, they provide a workaround. We are able to push that workaround from the Patch Management module. We can push the registry key changes or use the PowerShell script. We push changes to almost 600 devices in ten minutes. It helps us ensure our infrastructure security.

Qualys Patch Management has significantly improved our visibility into vulnerability remediation and patch severity. The solution has enabled us to remediate a large number of vulnerabilities and reduce our attack surface effectively.

We can track live updates and present dashboards to management, which has increased their confidence in our security posture. We can see the progress while pushing the patches. We have VMDR dashboards and reports. The reports are user-friendly, and everyone can understand these reports. We could also present them to the management. They were also happy to see the progress. They had visibility.

We have not implemented much automation. We are still in the early stages of this solution and testing out the possibilities. We had an issue because of the requirement that every server should be connected to the Internet before downloading the patches, but QGS was very helpful with that. QGS helps to ensure that we are able to patch devices that are not connected to the Internet.

We are able to prioritize the vulnerabilities and remediation. We did not see any discrepancies. With some of the other tools I have used, I have seen so many discrepancies between the vulnerability and the patching.

It helped our teams to work together. We created a separate team for vulnerability remediation. We also could help the patching team and support them in automating patch management. Previously, they were doing it manually on each server.

With Qualys Patch Management, there is an increase in vulnerability remediation. We have remediated almost 100,000 vulnerabilities. That is a huge count. Previously, we used a formula to identify critical vulnerabilities, and we could remediate only a limited number of vulnerabilities. With Qualys Patch Management, we could remediate all the vulnerabilities. We did not exclude any of the vulnerabilities.

There is also an increase in the patch rate. Previously, we could only cover 30% patching, whereas with Qualys Patch Management, within one and a half months, we could achieve 70% to 80% patching. The remaining ones are not included in the initial phase because of certain dependencies. We pushed data to almost 2,000 devices. It took some time for us to do the testing. We tested on ten production devices. After that, we pushed the patches to other devices.

We can download reports and customize the report templates based on the information we need. Our management could clearly see where we are now as compared to before. They could see our progress. They could see that we have fixed all high-priority ones within a month. The remaining ones are of medium and low priority. Even if we do not remediate them, it will be fine.

The Risk Reduction Recommendation Report helped us see which vulnerabilities would reduce the most risk within our organization.

The features I find most valuable in Qualys Patch Management include the ability to manage registry changes and run scripts both pre and post-patching. We have been able to apply workarounds for zero-day vulnerabilities efficiently.

Being able to create patch groups based on QIDs is also valuable. We can identify vulnerabilities using the QID and create a patch group. After that, we can push the patches.

They need to improve the user-friendliness of identifying how many devices are affected by a particular patch. It is not intuitive, and there should be clearer indicators or buttons to access this information easily. Currently, we have to go to the Patch Management module within an asset to see the information but not many people are aware of it. It is not intuitive in terms of seeing how many patches are pending on an asset. Other than that, it has everything we need.

I have been using Qualys Patch Management for approximately one year.

We faced an issue once due to a cloud-related problem that slowed down the console and presented device status inconsistencies, but it was resolved within four hours.

We have not encountered any scalability issues. We operate across multiple locations and have not faced any lags.

We have almost 125,000 users. We are a multinational company. We have offices in about 15 states in India. We are also in two or three other countries. This is why our asset count is high.

Customer service is exceptional. The support team is experienced and responsive, providing solutions quickly without delay. I would rate them a ten out of ten.

Positive

Before Qualys, we used Microsoft SCCM, which was not effective in progress tracking and vulnerability remediation. The tool was basic, the licensing cost was high, and we were only able to address 30% to 40% of vulnerabilities.

We proposed the Qualys Patch Management module. Its cost was almost similar but we got many more features. After implementing it, we could see the progress in vulnerability remediation and patching.

Qualys Patch Management also provided us with a variety of dashboards or criteria. We could see the number of patches done, pending, and failed. Microsoft SCCM did not give us that information. We could also export reports with Qualys Patch Management. This option was not available with Microsoft SCCM. 

In terms of user-friendliness, Microsoft SCCM is more user-friendly. It has fewer features and is very easy. Even a beginner can use Microsoft SCCM, which is not the case with Qualys Patch Management. 

It is a cloud solution, so everything required is provided by Qualys. 

It does not require any maintenance from our end.

We required assistance from the Qualys team for the initial setup and configuration as we were not familiar with setting up and configuring QGS at the time.

It has saved us resources. We now have only two people for patch management.

The pricing is reasonable and competitive. We get many more features at the same price as other solutions such as Microsoft SCCM.

It is worth the money considering the services and features it has. Their support team is also awesome.

We evaluated Rapid7 as an alternative to Qualys but found it lacking in some features that Qualys offered.

I would recommend Qualys Patch Management to every organization looking for better patch management and remediation. I would recommend opting for the cloud version of Qualys Patch Management as it is easier and faster to use compared to an on-premises solution.

I would rate Qualys Patch Management a ten out of ten. It makes my job easy.

We utilize Qualys Patch Management to patch our customers' virtual machine environments. This includes performing tasks and remediation actions in conjunction with Qualys Vulnerability Management, Detection, and Response.

We implemented Qualys Patch Management for the zero-touch patches.

Qualys Patch Management's risk-based approach simplifies the automation of risk mitigation.

The automatic inclusion of relevant patches in Qualys Patch Management based on Qualys VMDR findings streamlines remediation. This integration simplifies patching tasks by providing a direct solution from VMDR to Patch Management, making it easier to address vulnerabilities.

Qualys Patch Management is user-friendly. We used to have a different tool that did not provide good solutions or responses, so we tested Qualys Patch Management internally and with a few customers. As a result, the time to push patches, get updates, or push zero-day patches has significantly decreased compared to the previous tool. We realized the benefits of Qualys Patch Management within the first quarter.

Qualys' TruRisk automation improves our operational efficiency by enabling us to remediate vulnerabilities without requiring direct involvement from our security team.

Qualys Patch Management streamlines our vulnerability management process by providing a single source of truth to assess, prioritize, and remediate vulnerabilities across all assets. This consolidated approach has significantly reduced our workload, enabling us to meet all compliance standards and accelerate remediation from weeks to days.

We have significantly improved our patch rates using Qualys Patch Management, though the exact improvement varies depending on the vulnerabilities. For critical issues, typically those with a CVSS score of four or five or higher, we contact the customer and, upon their approval, immediately patch the relevant item. This includes application software, configurations, Microsoft Patch Tuesday updates, and zero-day vulnerabilities.

We augmented our vulnerability solution with Qualys Patch Management to address patching deficiencies within our customer base. Many clients operate in silos with disparate IT teams, hindering comprehensive patching efforts. Our adoption of Qualys Patch Management enables us to centrally manage and execute patching through its VMDR capabilities, resulting in higher success rates compared to decentralized client-managed patching.

We have seen a significant reduction in our customer's risk, around 70 to 80 percent.

Qualys Patch Management excels with its automated patch scheduling and retrieval. The system efficiently executes jobs, provides clear messaging, and simplifies the management of installations and residual file removal.

Qualys's current response time for releasing solutions to zero-day vulnerabilities, which takes approximately 12 to 16 hours, needs improvement. The goal is to reduce this timeframe to under 12 hours. Additionally, their platform requires enhanced support for multi-tenancy.

I have been using Patch Management for the last two years.

I would rate the stability of Qualys Patch Management nine out of ten.

Qualys Patch Management's scalability is eight out of ten because it does not provide good support for multi-tenancy.

Qualys' technical support is good.

Positive

We previously used patching solutions like Kaseya VSA, but now prefer Qualys Patch Management due to its integration with VMDR. This single-solution approach reduces remediation time significantly.

The initial deployment is straightforward. It involves installing agents and scanner appliances, which automatically manage everything. The deployment can be completed within a few days.

The pricing is reasonable and less expensive than the previous tool.

I would rate Qualys Patch Management eight out of ten.

Our customers who use Qualys Patch Management are small and medium-sized businesses.

Qualys Patch Management does not require any maintenance.

I would recommend Qualys Patch Management to other users because of its advantages over other tools. This tool is good compared to others.

In the previous company, the customer was using Qualys Patch Management tool, and they were using more than one lakh assets in that organization. The Qualys Patch Management tool helped significantly in that case.

The risk-based approach Qualys Patch Management uses is very good for easily getting the details. That is one of the factors in the prioritization of the vulnerability. We can see if a patch is or is not available. The details are easily obtained through risk analysis. If everything is available, we still need to know which one to prioritize, and this approach helps us significantly with priorities.

We saw an improvement in our patch rates from using Qualys Patch Management, especially with respect to automated patches. 

We got the consolidated data, and using automated Patch Management for a few assets saved a lot of time because we don't have to do it manually or raise tickets for everything. 

By trusting Qualys Patch Management, we remediated many vulnerabilities, especially with Windows.

The consolidated report we received from the solution was very time-saving because, in the dashboard, we could get all the patch details for a particular patch and all the assets listed. That was very easy. Instead of going through Excel sheets, we could easily pull up the data and produce it based on the operating system, distribution, and other things. 

False positives were the biggest concern. 

We also had some concerns with respect to the Cloud Agent. VMDR is something that whoever uses Qualys Patch Management will always use. We used both, but sometimes we got different details in Patch Management and VMDR. The data differs, especially with Cloud Agent-installed assets. We have had to contact their technical support many times, especially for Cloud Agent troubleshooting. We raised many feature requests with Qualys for Cloud Agent and faced many issues with it. Cloud Agent always gave us trouble, not just with Qualys, but with other tools too. However, compared with others, Qualys did have more issues with Cloud Agent.

I used Qualys Patch Management for one year.

The platform maintenance is according to what we have seen. A few times Qualys was not reachable for very few minutes, but stability-wise, it is a very good product.

Scalability-wise, Qualys Patch Management is a very good product. I never faced any issues with any of that.

I would rate them a ten out of ten for support because they are very approachable. Whenever we raise a request and mention the priority of the ticket, they respond immediately via email or call.

Positive

We were using another tool before Qualys Patch Management, though I don't remember which one. When we did the PoC, compared to Qualys, the other tool was giving less data, and that is why we moved to Qualys Patch Management.

My overall rating for Qualys Patch Management is a ten out of ten.

I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.

We can prioritize vulnerabilities using Qualys' risk-based approach. The platform offers a prioritization tab that allows us to tailor the process to the company's requirements. Whether the focus is on risk, asset criticality, or exploitability, we can leverage the prioritization tag in Qualys to manage and address vulnerabilities effectively.

It's important that Qualys Patch Management and VMDR integration encompasses all necessary patches and configuration changes to address vulnerabilities identified by VMDR. This integration ensures real-time detection and remediation of vulnerabilities.

The TruRisk Insights allows us to prioritize and remediate threats without involving our security team.

Qualys Patch Management provides a single source of information to access asset and vulnerability data. Granting the IT team access to the Patch Management module lets them retrieve information through alerts. Through this module, the team receives email alerts about patch failures, enabling them to redeploy patches and investigate the cause of failure, such as machines rebooting at the scheduled time.

Qualys Patch Management helps prioritize vulnerabilities based on risk and asset criticality, facilitating the patching process. 

The integration with ServiceNow helps close tickets faster by automating tasks and alerting the IT team when a patch has failed.

Patch management provides more clarity from the dashboard and console, which is very helpful for our team to prioritize and take prior action.

Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.

I have been using Qualys Patch Management for more than two years.

The customer support team is quite responsive and always ready to assist. When I submit a request, they promptly contact me and, if necessary, schedule a call to efficiently address my questions, even during my early days with the product.

Positive

Previously, we used BigFix and SSCM modules for patch application but have since transitioned to Qualys Patch Management for a more streamlined approach. Qualys Patch Management provides a single console for patch management and VMDR, simplifying operations and automating reporting.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.

My organization uses Qualys Patch Management internally, including its core patching functionality and Vulnerability Management, Detection, and Response. As a consultant, I help several Qualys user clients with best practices and similar tasks, addressing use cases ranging from vulnerability reduction and patch management to asset management.

Qualys is a cloud-based platform. While they offer a private cloud option at a higher cost, their core functionality resides in the cloud. The lightweight agents we install on our systems simply collect data and upload it to the cloud-based Qualys interface. The only exceptions are passive sensors like network sniffers and on-premise scanners, which are optional deployments for specific needs. This cloud-centric approach eliminates the need for us to manage on-premise servers, unlike some competing products like baramundi.

Qualys query language simplifies patch selection by allowing us to define risk-based criteria. We can target patches based on severity medium to critical and Qualys rating while excluding specific unwanted patches like "Patch xyz". As long as a patch meets our pre-approved criteria, it's automatically selected, making the approval process quick and efficient.

The Patch Management integration with VMDR including all development patches and configuration changes required to remediate vulnerabilities detected by the VMDR is significantly important.

While Qualys offered benefits initially, the deployment of the cloud agent truly transformed our security posture. Previously, regular scans provided only point-in-time vulnerability identification. Now, with continuous updates from the cloud agent every four hours, we have near real-time visibility into our risk levels, allowing us to prioritize and swiftly address vulnerabilities to minimize overall security exposure.

TruRisk automation streamlines vulnerability remediation by prioritizing threats based on real-world exploitability, not just a generic CVSS score. This allows us to focus on the most critical issues first, avoiding the time-wasting whack-a-mole approach of patching everything at once. While all vulnerabilities eventually need to be addressed, TruRisk helps us prioritize effectively and work through them in a methodical way.

Qualys' prioritization feature streamlines vulnerability management by offering a central hub to find, rank, and address critical security issues. This unified approach significantly improves collaboration between security and IT teams. Previously, prioritizing vulnerabilities was often a matter of simply patching critical ones. Patching policies also play a role, with most companies aiming for a 30-day window or less for critical patches. While the industry average turnaround is 17 days, faster patching remains crucial. Qualys' TruRisk scoring system helps identify outliers – vulnerabilities that might slip through the cracks in a well-managed environment. Traditional patching methods, like Microsoft's WSUS, may miss these outliers, but Qualys excels at finding them, providing better communication and faster remediation.

This single source has helped reduce soft costs where employees were wasting time spinning their wheels searching for answers. This newfound focus allows them to dedicate their energy to more important tasks.

Prior to implementing patch management, a random sampling of systems would often reveal outdated patches, some exceeding 60 days old. However, with patch management in place, finding such aged patches is now a rarity.

We integrated Patch Management on top of Qualys VMDR. This gave us a lot more visibility and accuracy.

Patch Management has helped to reduce our organizational risk.

The most valuable feature in Patch Management is the Qualys query language for set-it-and-forget-it patching for our preapproved patches, and our preapproved schedules, That is extremely helpful compared to the old days of patching.

A common area for improvement in Patch Management, both within our environment and others I've encountered, is the lack of built-in driver updates. Ideally, the system would handle updates for network interface cards, video cards, and other components, eliminating the need to rely on manufacturer-specific tools like Dell Update or HP Update. Integrating these patching options would significantly improve the overall functionality.

Qualys Patch Management primarily updates operating systems, third-party software including Adobe products and many more, leaving video card drivers and firmware updates to other tools. This focus on core software is understandable, as driver and firmware updates can be more complex.

The price has room for improvement.

I have been using Qualys solutions for over 20 years.

Qualys Patch Management is very stable. They clearly communicate any scheduled maintenance in advance, and these updates typically require no downtime. In rare cases of major maintenance, they might announce limited portal access during specific hours. Like any software, occasional minor glitches can occur, but we can easily check for known issues at status.qualys.com before troubleshooting on our own. Overall, Qualys Patch Management is a reliable solution.

Qualys Patch Management is highly scalable. 

Qualys technical support has been excellent recently. While there have been occasional periods of lower satisfaction in the past, similar to any organization, they seem to be prioritizing customer happiness. This is evident by their recent staffing improvements, which have led to my last few support requests being resolved quickly and efficiently.

With extensive system use, I've occasionally received initial responses from what seems like level-one support. I then need to clarify and request further troubleshooting before they escalate the issue.

Positive

Qualys Patch Management deployment is straightforward as long as we have the right team, whether it's a consulting firm or our own IT staff familiar with whitelisting. This is because whitelisting the Qualys Cloud Agent on systems protected by endpoint security tools like Carbon Black or CrowdStrike is crucial to prevent them from blocking the agent. Fortunately, the whitelisting requirements are well-documented, making implementation smooth for a prepared team.

A single person can handle the deployment if they have permission to distribute the cloud agent, install on-premise scanners, and build the virtual machine for the scanner. In fact, several of my colleagues successfully manage deployments for large organizations on their own.

Qualys Patch Management's pricing is competitive. While some perceive it as expensive, competitor tools are similar. While a free option like Microsoft WSUS exists, it lacks features. While I'd prefer Qualys VMDR to include Cyber Security Asset Management for a more attractive overall package, Patch Management itself remains competitively priced. Scaling brings lower per-asset costs, and Qualys recently introduced better pricing bundles for smaller environments.

To verify Qualys Patch Management's effectiveness, I've occasionally used free tools like Patch My PC to scan for missed patches. These scans consistently come up clean, giving me confidence that Qualys Patch Management is doing a good job.

While both Qualys Patch Management and baramundi Update Management are powerful tools, Qualys offers a clear advantage in ease of use. For organizations with large IT teams that can handle a more hands-on approach, baramundi can be effective, but it requires more ongoing management compared to Qualys' set-and-forget approach. Notably, baramundi goes beyond patching with software distribution capabilities, but this additional functionality comes at the cost of increased complexity. Ultimately, for those seeking a simpler solution, Qualys is the better choice.

I would rate Qualys Patch Management ten out of ten.

While the initial setup involves deploying cloud agents, Qualys Patch Management is low maintenance. Updates for both agents, signatures, and related components are automatic. Qualys handles maintenance in the cloud, and new systems are easily enrolled with agents through software distribution or policy enforcement.

New Qualys Patch Management users should consult the documentation and training resources before deploying. While a trusted partner can assist with implementation, understanding the process is crucial. Qualys offers free training to cover essential steps like agent deployment, configuration, and security considerations to ensure successful patching. Don't skip these steps, as seemingly minor setup issues can hinder functionality. This applies not just to Qualys, but to any endpoint security solution.

Mostly, I've used it because I'm working in the Vulnerability Management Team. I've done the POC for Patch Management and then handed over the product to the Patch Management Team, which handles the patching. I tested the module by Qualys, exploring the functionality of the Patch Management module, such as available patches. All these tasks were completed by me before procuring the product, and then access was provided to another team that uses it for patching. As part of the Vulnerability Management Team, my work involves overseeing the entire Qualys product, including VMDR, FedRAMP, cloud agents, and other functionalities.

The first thing I would say is the ease of use. It's so user-friendly that even a newcomer in IT can use it directly. It helps reduce our attack surface by patching all software vulnerabilities and deploying patches directly from the console. The connection and integration between different tools are excellent, allowing continuous monitoring of the types of patches released, which can be quickly deployed onto the systems. The dashboards help identify what type of patch I want to deploy and which patches are missing.

There is room for improvement in the inclusion of more patches. That's the only improvement I would suggest. Not all patches are available on Qualys, so they need to get licenses for other patches as well. That would be more helpful.

I have used the solution for 3 years.

It's quite stable. I would say it’s a nine.

Scalability, it's dependable.

Technical support, I would say it’s about seven and a half.

We used BigFix before.

For Patch Management, the testing part took about one to two weeks. Procurement took one week because it was pending with the procurement team. Overall, I guess it took about a month.

We have saved time and resources by detecting vulnerabilities, which helps us patch many assets. I can't quantify it exactly, but it's significant as it prevents vulnerabilities from being exploited. If those vulnerabilities were open and we did not have Qualys or similar solutions, we would have been at risk of attacks. I cannot give a specific number, but having a Vulnerability Management tool has a significant impact.

These two tools are completely different. BigFix is a full-fledged patching tool where you can directly apply patches but cannot view vulnerability data. On Qualys, you can see vulnerabilities and deploy patches directly. It offers a different perspective by allowing you to view a vulnerability and deploy a remedying patch. Qualys acts like both a vulnerability management tool and a patching tool, which is quite beneficial. Tools like Nessus, Rapid7 handle vulnerability management, while BigFix, SCCM handle patching.

I would recommend it because of its ease of use and integration as both a Vulnerability Management and Patch Management tool. I rate it nine out of ten.

We use almost every module that Qualys has, except the EDR, which is endpoint protection. They came up with that module last year. We use their patch management, vulnerability scanners, cloud agents, and network passive scanners. We are using everything that is available.

They have a very good approach called TruRisk. If an exploit is publicly available or something is public-facing, they have an in-depth categorization process, so I do not have to think about what to patch first. Qualys take care of that. They assess them based on many factors. They have a team that works on that and goes through every aspect of the vulnerability in terms of how easily it can be exploited, and then they put a priority on it.

TruRisk automation has not helped us remediate vulnerabilities without needing to involve our security team. That is because we have been having some issues with the Windows Store app. We blocked it now but did not block it before, so it got installed on some of the machines. Because of that, we have to deal with it manually because Patch Management cannot do that. They will look for attributes, and they still exist. We cannot delete or update them because the Windows Store app is blocked, so we have to deal with those things manually.

They have a dashboard, which is very useful. I heavily rely on the dashboard. I create additional widgets if I have to, but the dashboards they have in their library are sufficient and very easy to use. I already know their language and I can build queries if necessary. 

Having this single source of truth affects the way our security and IT teams work together. Instead of me telling or sending screenshots, I can send them a link. When I send the link, others can see the exact same screen and easily drill down on endpoints.

This single source of truth helps reduce costs. It saves time, and time is always equal to money.

Patch Management has improved our patch rates. Previously, our approximate patching duration to close a vulnerability or remediate a vulnerability was almost 30 to 40 days. Right now, it does not exceed 11 days. Qualys has its own priority levels. They have priority 4, priority 3, priority 2, and priority 1 levels. Priority 4 ones are the most dangerous ones. They are patched right away. For other priorities, it was 30 to 40 days and then it was 21 days. The last one was about 14 days and now it is 11. It is a very good progress from what it was before.

I do not use their Risk Reduction Recommendation Report, but I usually go for the dashboard. The dashboard usually tells everything such as the end-of-life hardware, software, or other things. When I drill down, I can generate a report and present it to my IT colleagues and tell them that we need to get rid of this equipment or this software. We need to do something with it. This is an on-demand report, so I can put it on my schedule, and when I need it, I can generate it.

Patch Management has definitely helped to reduce our organization's risk. It is hard to provide metrics because, with the security field, you cannot be very precise about how secure you are. However, I can sleep at night and not stress about if some computer is being patched. I do not worry about situations where when you have a lot of systems, some of them you cannot patch because they have old applications. If you patch them, it will break something. I do not have that stress because I can rely on Qualys to do its job. In my previous job, I have had systems that I could not patch. I had to request a window to do the patchwork. With Qualys, I do not have to do that. There is a work/life balance. I got back my Saturdays and Sundays. In my previous job, I came to the job on Saturday and Sunday when people were not there and patched the systems. With Qualys, it is definitely not the case. We do not have to do that.

Patch Management, if configured correctly, works effectively without requiring further action. There are some applications that Patch Management cannot update, but they have a Custom Assessment and Remediation module to update third-party software. That module completes patch management, and you can now update everything.

The vulnerability scanner is solid and thorough. Vulnerability scans go through everything such as the endpoints, servers, and hardware.

They are constantly working on making it better. There is no 100% reliable or working application or software. There are caveats with the network passive sensor when it does not merge or something does not feel right, but whenever I have to report on those things, someone from their support team jumps on and tries to help us, which is why I like it. They should keep it up. 

They can maybe do check-ins with the customers once a month. All the vendors are doing it nowadays. Qualys can do regular check-ins to go over not only all the vulnerabilities but also the overall process to see if there is anything where we might need improvement. They know about the latest trends, and they have meetings about them. They can relay to us some newer information that we do not know, but they saw in our environment. That would be a nice thing.

I have probably been using it for three years, give or take.

I have interacted with them many times. Their support is good and reactive. When we needed support, it took a day or two. We can always reach out to our technical account manager. He is able to get on board with the engineers to help resolve issues, which I appreciate. If we need to fix something urgently, he can always help us.

Positive

We also use Microsoft through the GPL, and we have KACE, which checks for missing patches and applied patches, but mostly, we use Qualys. Qualys would be our single pane of glass where we see all those.

I joined after the initial deployment was completed, but I deployed a couple of scanners, like vulnerability scanners on the VMs, and that process was easy. It was self-explanatory and straightforward. You just spin one up, put the IP address, and it works.

It does not require any maintenance. It is a cloud agent. As long as the cloud agent is installed on the endpoint, we are collecting all the information and the system is being patched. That is a good part.

It took us some time to realize its benefits. I went to a Qualys conference, and that was when I started to realize its benefits. Till then, I thought Rapid7 was a good one or Manage Engine was a good one. I thought those products were good, and they also patch third parties whereas Qualys did not patch third parties. After going to Qualys, they explained there is a way to do that. It was a longer way, which I did not do. We decided to go with an MSP that specializes in installation and fine-tuning the Qualys product. When they did everything, I did not have to touch any configuration with Qualys Patch Management. Everything was going through. With the way we did things previously, it was going through, but it was a longer approach. It was taking a little longer and was more manual. We did not properly utilize tagging. We did not properly utilize the patching process scheduling. The MSP guys did tagging. They did automation of the patch management according to the risks. That was very important. Previously, we had six or seven jobs and sometimes, we manually patched individual machines. After the MSP guys did the fine-tuning, we had only two scheduled jobs, and that was it. The first job does 10 to 15 testing computers, and then the next one does the old machines.

I would rate Qualys Patch Management a nine out of ten.