No more typing reviews! Try our Samantha, our new voice AI agent.
Prasadbabu Talluri - PeerSpot reviewer
Systems Mgmt Consultant at a healthcare company with 10,001+ employees
Real User
Top 5
Dec 16, 2024
Enhance svulnerability remediation with efficient patch management and process automation
Pros and Cons
  • "Qualys Patch Management is an effective tool for vulnerability remediation."
  • "Our patch rate was 85 percent before implementing Qualys Patch Management, and now it is 98 percent."
  • "The availability of Qualys Patch Management needs to be improved."

What is our primary use case?

We use Qualys Patch Management for server deployment and workstation deployment. It is also used for vulnerability management, managing open ports, and remediating vulnerabilities.

How has it helped my organization?

The risk-based management involves process automation, identifying vulnerabilities through scheduled reports, and ongoing patch deployments.

Qualys Patch Management utilizes advanced algorithms within its management policies to effectively address vulnerabilities. It accurately identifies threats and provides the necessary solutions to remediate bugs in end-user systems.

TruRisk automation streamlines our vulnerability remediation process by automatically identifying and deploying necessary patches, eliminating the need for constant security team involvement. Previously, the security team would provide monthly scan profiles and assign them to us. We would then scan endpoints, identify vulnerabilities or partially/fully installed patches, and use Qualys reports to address any patching failures. TruRisk automates this entire workflow, increasing efficiency and reducing our reliance on manual intervention from the security team.

Qualys Patch Management offers a single source of truth to identify, prioritize, and address vulnerabilities across all assets. This ongoing monthly process consistently identifies vulnerabilities in our network, devices, and systems. Using a standardized remediation template, we scan for vulnerabilities and implement necessary fixes to ensure ongoing security.

It reduces costs through automated deployments, eliminating the need for manual monitoring and machine checks. By creating a job to identify machines with low disk space or those not requiring patches, we generate a report and exclude unnecessary machines from the patching schedule. This automation removes machines that don't need patches, ensuring only those requiring updates are involved, and reduces manual effort by approximately 50 percent through automated scheduling and issue identification.

I have been managing patches for the past two years. Previously, the tools available lacked automation and couldn't handle all tasks, including scheduling. Now, with Qualys Patch Management, we can schedule jobs, automatically identify and fix bugs, and significantly reduce the time spent on patching. For instance, tasks that once took ten hours can now be completed in three.

Our patch rate was 85 percent before implementing Qualys Patch Management, and now it is 98 percent.

We utilize Qualys Patch Management's ITSM tools for ticket management, which has proven highly beneficial for our operations. We are integrating Qualys Patch Management with ServiceNow and BMC Remedy. This integration automatically identifies and closes approximately 50 to 60 percent of tickets.

Adding Qualys Patch Management to our existing vulnerability management tools has provided us with an on-demand capability to patch our internal devices as needed.

Qualys Patch Management helped reduce our organization's risk by patching 98 percent of vulnerabilities.

What is most valuable?

Qualys Patch Management is an effective tool for vulnerability remediation. It identifies vulnerabilities, creates profiles, and recognizes vulnerabilities on the endpoint, all within a user-friendly environment.

What needs improvement?

The availability of Qualys Patch Management needs to be improved.

Buyer's Guide
Qualys Patch Management
June 2026
Learn what your peers think about Qualys Patch Management. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,680 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Qualys Patch Management for almost five years.

What do I think about the stability of the solution?

There are times when Qualys Patch Management is unavailable.

What do I think about the scalability of the solution?

I would rate the scalability of Qualys Patch Management a nine out of ten.

How are customer service and support?

Technical support is good, providing seamless efforts in their support.

Which solution did I use previously and why did I switch?

We use multiple tools. On-demand, we use Qualys alongside other solutions like Tanium, Rapid7, and SCCM to manage machines both inside and outside the organization.

How was the initial setup?

The initial deployment is straightforward. It does not take much time to deploy. Everything is completed within the four-hour schedule.

What's my experience with pricing, setup cost, and licensing?

Compared to other tools, the price of Qualys Patch Management is reasonable.

What other advice do I have?

I would rate Qualys Patch Management a nine out of ten.

Qualys Patch Management is deployed in multiple departments and locations. We have five members that administor the solution.

No maintenance is required from our end.

I recommend Qualys Patch Management because it is effective in past deployment and vulnerability management. It identifies necessary patches instead of scanning the entire machine.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Ramachandran Sugumar - PeerSpot reviewer
Senior Information Security Engineer at a consultancy with 10,001+ employees
MSP
Top 5
Dec 4, 2024
Allowed us to install agents on all endpoints, enabling automatic patching over the internet
Pros and Cons
  • "Automated features streamline patch deployment and ensure compliance, effectively mitigating risks and bolstering organizational security."
  • "Qualys Patch Management significantly improved our patch rates by 80 percent, scanning for vulnerabilities every four hours via the Qualys agent."
  • "Qualys Patch Management would benefit from enhanced integration to address its current limitations in patching new features."
  • "Qualys Patch Management's pricing could be more competitive, as it presents a significant obstacle for many companies who find it unaffordable."

What is our primary use case?

We primarily use Qualys Patch Management for our endpoint machines. This solution automatically pushes patches to all machines, regardless of whether they are connected to the network, and allows them to update and reboot automatically.

How has it helped my organization?

The risk-based approach to automation in Qualys Patch Management helps us meet our strict SLA timelines by prioritizing critical vulnerabilities. Most vulnerabilities can be patched directly through Qualys, although some require additional external component upgrades. While we generally address critical vulnerabilities within the SLA timeframe, occasional delays necessitate quarantining affected systems from the network to mitigate risk. This automated process significantly reduces our overall security risk.

We had a large number of assets, making it challenging to push patches to all machines, especially those off the network. Qualys Patch Management allowed us to install agents on all endpoints, enabling automatic patching over the internet, regardless of network connection. Upon reconnecting to the Infosys network, any missed patches are applied, and the machine is automatically rebooted. This eliminates downtime for endpoints, except servers, and ensures timely vulnerability remediation, significantly reducing complaints and associated risks. We saw the benefits of Qualys Patch Management within a month.

What is most valuable?

Patch Management's integration capabilities are highly valuable, enabling precise targeting and prioritization of vulnerabilities. Automated features streamline patch deployment and ensure compliance, effectively mitigating risks and bolstering organizational security.

Qualys Patch Management serves as a single source of truth for identifying and addressing vulnerabilities in our assets. We utilize this tool extensively for various purposes, including VMDR, CSAM, and our own internal compliance efforts. Additionally, we are anticipating the release of Total AI and plan to integrate it into our workflow once available.

Before implementing Qualys, we lacked a comprehensive inventory view and relied on the support team to manage most machines. With Qualys Patch Management, we established a single source of truth for asset payment requests, providing clarity on server and endpoint counts. This allowed us to accurately assess vulnerabilities through scans and create dashboards for each device. By leveraging this data, we successfully eliminated one million unnecessary fees within six months.

Qualys Patch Management significantly improved our patch rates by 80 percent, scanning for vulnerabilities every four hours via the Qualys agent. Once identified, patches are automatically deployed and await system reboot, with an option to skip the reboot twice. This process effectively addresses most vulnerabilities identified in our call list. However, some vulnerabilities may require additional features or intervention from the project team, potentially involving coaching or further action, which can lead to delays. Despite these exceptions, Qualys Patch Management successfully deploys all required patches.

Our IT support team uses Qualys Patch Management with a configuration management database. Qualys Patch Management has significantly reduced our vulnerability count by enabling faster ticket resolution. This efficiency has allowed us to address vulnerabilities across thousands of machines, drastically reducing the number of vulnerabilities from millions to a manageable level.

Qualys Patch Management has helped reduce our organization's risk by 80 percent.

What needs improvement?

Qualys Patch Management's pricing could be more competitive, as it presents a significant obstacle for many companies who find it unaffordable.

Qualys Patch Management would benefit from enhanced integration to address its current limitations in patching new features.

For how long have I used the solution?

I have been part of the team using Qualys Patch Management for one and a half years.

What do I think about the stability of the solution?

I would rate the stability of Qualys Patch Management nine out of ten.

What do I think about the scalability of the solution?

I would rate the scalability of Qualys Patch Management nine out of ten.

How are customer service and support?

The technical support received from Qualys is excellent. We have a dedicated person to resolve any issues quickly.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial deployment was straightforward and was completed in two to three months. 

What about the implementation team?


What was our ROI?

The implementation of Qualys Patch Management has resulted in an eighty percent reduction in vulnerabilities across the organization, which suggests a significant positive ROI.

What's my experience with pricing, setup cost, and licensing?

Qualys Patch Management is expensive.

What other advice do I have?

I would rate Qualys Patch Management nine out of ten.

Our security team is divided into two groups. The IT support team uses Qualys Patch Management to handle automated patching and maintenance. My team addresses issues that cannot be fixed automatically. We handle vulnerabilities that have been pending for a long time, escalating them and seeking remediation. If these issues remain unresolved, we quarantine the affected vulnerabilities.

We have 300 people from my team using Qualys Patch Management.

Maintenance from our end is minimal as we get comprehensive support from the Qualys team. They provide all necessary support, enabling us to effectively manage the solution.

I would recommend Qualys Patch Management, especially considering its integration capabilities and the support it provides in managing and automating patching processes, substantially reducing vulnerabilities and risks.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Qualys Patch Management
June 2026
Learn what your peers think about Qualys Patch Management. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,680 professionals have used our research since 2012.
reviewer2589096 - PeerSpot reviewer
Senior Information Security Engineer at a consultancy with 10,001+ employees
MSP
Top 10
Nov 7, 2024
Seamlessly integrated vulnerability detection with automated script-based patching
Pros and Cons
  • "Qualys Patch Management has significantly reduced our organizational risks."
  • "Qualys could improve its randomized download feature and provide more detailed information about patch failures, including the reason for failure."

What is our primary use case?

We use Qualys Patch Management to remediate vulnerabilities. Qualys synchronizes with both the Vulnerability Management, Detection, and Response module and the Patch Management module. This provides a unified view of which vulnerabilities can be patched through Qualys and allows patching to be initiated directly from the VMDR module.

Most Windows security patches are released on Patch Tuesdays and become available to us through Qualys the following day. Once available, we can initiate patching to reduce vulnerabilities within our infrastructure. This process primarily addresses critical security updates from Microsoft and other third-party applications, allowing us to mitigate vulnerabilities using Qualys proactively.

How has it helped my organization?

Qualys Patch Management effectively mitigates risks through its risk-based automation, enabling rapid vulnerability remediation.

The integration of Qualys Patch Management with Qualys VMDR allows us to use the same device identification ID for both patch management and vulnerability identification. This enables us to easily determine which vulnerability a patch addresses, access CVE information, and validate patches based on product or product family. For instance, if we have Google applications with vulnerabilities, we can efficiently identify and patch them without searching for specific versions or missions. By selecting assets in Patch Management, we can automatically patch QID-based or family-based vulnerabilities identified by VMDR. This integration streamlines the patching process and provides clear visibility into the vulnerability status of our assets.

Our previous patch management products had communication issues with their agents. Qualys Patch Management utilizes the same agent as their vulnerability management system, streamlining the process. Security agents are more reliable than standard IT solutions, and because our IT team prioritizes agent uptime, patching is more accessible, and risk is reduced within our infrastructure. Qualys Patch Management offers immediate benefits. If a patch requires a reboot, Qualys allows users to initiate one within a specified timeframe automatically. Upon rebooting, the machine reports to the Qualys console and is automatically scanned. If the patch is successfully installed, the console reflects the update within 20 to 30 minutes. This streamlined process ensures efficient patch management and reduces vulnerabilities.

Qualys Patch Management's TruRisk automation allows us to prioritize patching vulnerabilities with available patches. This prioritization helps us focus on critical vulnerabilities and quickly remediate them, improving our security posture. The TruRisk score provides a clear metric to demonstrate the effectiveness of our remediation efforts to leadership, showing how quickly we address critical vulnerabilities and enhance our security.

TruRisk automation enhances data accuracy across business units. Leveraging the Vulnerability Management Tool for Remediation within TruRisk, patching can be initiated based on a risk score mechanism query, which provides the TruRisk score for a specific business unit. A subsequent query determines patch dispatchability, triggering a patch job if applicable. This process can be streamlined using Patch Query Language to efficiently retrieve data and execute accurate patching, reducing risk based on TruRisk scores.

Initially, the IT team resisted using Qualys Patch Management for vulnerability remediation due to its critical importance. However, after we demonstrated how integrating Patch Management with Vulnerability Management provides a single report and effectively reduces vulnerabilities, we convinced them to adopt it. This consolidated approach enhances efficiency and streamlines patch management throughout our organization.

Qualys Patch Management significantly improved our patching rates. Qualys provides access to exclusive security patches and boasts a comprehensive knowledge base covering a wide range of applications, including third-party software like Google Chrome, Edge browsers, and SQL. As Qualys expands its knowledge base, our patch management rates continue to improve. Furthermore, the Qualys support team has been instrumental in helping us resolve patching issues, such as installation failures, by efficiently identifying the root cause, whether it stemmed from network problems or the Qualys platform itself. With their assistance and the robust Qualys product, we have successfully mitigated these challenges.

Qualys Patch Management has significantly reduced our organizational risks. Previously, when using other solutions, our patch percentage was low, resulting in high risk. Qualys Patch Management, integrated with VMDR, immediately improved our patch percentage. Features like patch initiation, recurring patches, scheduling, and randomized patch downloading have been crucial in mitigating risk, especially for employees working from home with network issues. The randomized download option ensures patches are successfully downloaded even with interruptions, resuming automatically when the network connection is restored. These capabilities ensure Qualys Patch Management effectively reduced our organizational risk by 88 percent.

What is most valuable?

My favorite feature of Qualys Patch Management is its flexibility in executing scripts before and after patching. This is particularly useful for third-party or enterprise applications that require registry modifications to address vulnerabilities. We leverage this functionality to deploy scripts that adjust registry values, effectively patching vulnerabilities and enhancing the security of our machines. The ability to automate these tasks through Qualys Patch Management streamlines our workflow and improves our overall security posture.

What needs improvement?

Qualys could improve its randomized download feature and provide more detailed information about patch failures, including the reason for failure. This could include specifying whether the failure is related to a file download error, network interruption, application crash, or installer error based on the operating system. These enhancements would offer more insights into the patch management process and improve overall functionality.

For how long have I used the solution?

I have been using Qualys Patch Management for the last two years.

What do I think about the stability of the solution?

The stability of Qualys Patch Management is a nine out of ten. While it's generally stable, there have been occasional issues, particularly when new patches for Linux have been introduced.

What do I think about the scalability of the solution?

Qualys Patch Management's scalability is a ten out of ten. It scales efficiently across different machines globally, ensuring patches are deployed smoothly.

How are customer service and support?

Qualys' technical support has been excellent. Their team has effectively resolved various issues, including some that originated within our network.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup was straightforward, leveraging the existing vulnerability management tool, which facilitated easy integration of Patch Management.

Deploying software to a single machine takes approximately one minute. However, in an organization with 1,000 machines, a traditional push deployment method could take up to four days to complete.

What other advice do I have?

I would rate Qualys Patch Management ten out of ten. Qualys Patch Management has significantly benefited our security and remediation efforts.

Qualys Patch Management is deployed across multiple locations and time zones in various countries. While most of the IT team has access to view Qualys Patch Management, only a few individuals can initiate patching. Those with view access can assess the patching capabilities and compliance of specific machines, while a limited number of authorized personnel can deploy the patches.

Qualys Patch Management requires minimal maintenance, primarily involving updating the agent software on managed devices.

I would recommend Qualys Patch Management to those using a vulnerability management solution as it helps significantly in reducing risks. It provides various options such as using third-party repositories for patches, which are beneficial for comprehensive patch management.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Sr Cyber Security Manager at BARC India
Real User
Top 20
Nov 10, 2024
Effortless patch scheduling and prioritization enhance our security posture
Pros and Cons
  • "Qualys Patch Management offers valuable features like scheduling and on-demand patching, allowing us to conveniently push patches to our servers at designated times."
  • "The GUI has areas that need improvement, particularly in the accuracy of results when adding dashboards and running queries."

What is our primary use case?

We use Qualys Patch Management to mitigate and remediate all critical vulnerabilities present within our infrastructure.

We implemented Patch Management to address critical vulnerabilities in our infrastructure. This proactive measure mitigates the risk of compromise that could arise from unpatched vulnerabilities.

How has it helped my organization?

Patch Management has tremendously increased our security posture. Previously, we used to manage patching manually and remotely, which did not provide accurate data. With Qualys, all the details are readily available on the dashboard, aiding us in submitting details to management. It has significantly helped in providing management with up-to-date data, leading to improved satisfaction. We saw the benefits of implementing Qualys Patch Management within the first quarter.

Qualys Patch Management gives us a single source of truth for assets and vulnerabilities that must be assessed, prioritized, and remediated. This has drastically affected our operations because the features present on Qualys are amazing, and it's user-friendly compared to other tools.

We've observed an improvement in our patch rates by up to 50 percent. Utilizing the Patch Management tool allows us to download comprehensive compliance reports detailing the number of patches applied to each server, which is significantly beneficial.

Qualys Patch Management's risk reduction recommendation report offers comprehensive and customizable details, including in-depth vulnerability information with plugin output not found in other tools. This makes Qualys a superior solution for managing and understanding security risks. Qualys Patch Management's risk reduction recommendation report provides a helpful scoring system, the QDS, which can be mapped to our asset classification system, allowing us to prioritize and address vulnerabilities according to their risk level.

The risk reduction recommendation report has identified vulnerabilities that, if addressed, would yield the most significant risk reduction. Prioritizing these vulnerabilities based on their severity allows us to focus on the most critical risks to our organization and take appropriate remediation action.

We have created widgets with the assistance of the Qualys support team to add them to our existing vulnerability management solution, which has been instrumental in helping us track vulnerabilities related to our infrastructure.

Qualys Patch Management has significantly reduced our organizational risk by up to 70 percent by identifying vulnerabilities in our infrastructure and prioritizing remediation efforts. This has allowed us to reduce vulnerabilities and strengthen our overall security posture effectively.

What is most valuable?

Qualys Patch Management offers valuable features like scheduling and on-demand patching, allowing us to conveniently push patches to our servers at designated times.

What needs improvement?

The GUI has areas that need improvement, particularly in the accuracy of results when adding dashboards and running queries.

For how long have I used the solution?

I have been using Qualys Patch Management for the last two years.

What do I think about the stability of the solution?

The stability of Qualys Patch Management is impeccable. I would rate it ten out of ten.

What do I think about the scalability of the solution?

Qualys consistently upgrades itself with major changes and new technologies. They introduce new modules as needed, making Patch Management highly scalable.

How are customer service and support?

Qualys support is exceptional. Whenever we need custom reports, we log a ticket with Qualys.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We transitioned from Nessus Security Center to Qualys due to challenges with Nessus's automatic patch deployments, which resulted in unplanned downtime on critical systems. A proof of concept and vendor support confirmed Qualys as a more suitable solution for our needs.

How was the initial setup?

The initial setup was straightforward. Before deciding to implement it, we conducted a month-long POC to ensure all requirements were met. The deployment took over 25 days.

What's my experience with pricing, setup cost, and licensing?


What other advice do I have?

I would rate Qualys Patch Management ten out of ten. 

We are conducting testing in a UAT environment. Our risk mitigation approach involves deploying a patch only after thorough testing in the UAT environment confirms the absence of issues.

We use an internal ticketing system called TUSOM. While previous discussions with our Qualys TAM indicated that integration with TUSOM was not possible, we have recently re-engaged with them, and they are now working on a solution to enable integration.

Approximately 13 individuals have administrative access to Qualys Patch Management, while the remainder have read-only access for viewing reports.

Maintenance is required before we can implement the policy. As a result, we are conducting preliminary testing in the UAT environment. Additionally, Qualys will notify us of any planned maintenance.

I recommend starting with a proof of concept to ensure Qualys Patch Management meets your requirements. In my experience, it is highly user-friendly and has excellent support, making it superior to other products.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
GokulM - PeerSpot reviewer
Vulnerability Management Engineer at a comms service provider with 10,001+ employees
Real User
Top 10
Jan 23, 2025
Very beneficial for quickly addressing critical vulnerability alerts
Pros and Cons
  • "We can update the registry with special features such as Registry Update. We can also run scripts via the Patch Management module. These features are very helpful in our operations."
  • "Qualys Patch Management is beneficial for addressing critical vulnerability alerts quickly, providing significant improvements in mitigating risk within our organization."
  • "I struggled to see patch availability for some applications in the Qualys console, requiring me to use third-party repositories. If repositories could be integrated within the Qualys module, it would simplify the patching process for me."

What is our primary use case?

I use Qualys Patch Management to patch vulnerable applications such as Mozilla Firefox and Java. Additionally, I use features like registry updates and scripting options available in the Patch Management deployment module. Our usage is about 70%.

How has it helped my organization?

Qualys Patch Management is beneficial for addressing critical vulnerability alerts quickly, providing significant improvements in mitigating risk within our organization. It is very helpful to push patches for critical vulnerability alerts in that one shot to remediate vulnerabilities.

It is very helpful in reducing risk in our organization. This is the only tool we are using to patch applications in our environment.

What is most valuable?

The availability of patches for required applications from Qualys itself is convenient, making it easy for me to push patches. 

We can update the registry with special features such as Registry Update. We can also run scripts via the Patch Management module. These features are very helpful in our operations. 

What needs improvement?

I struggled to see patch availability for some applications in the Qualys console, requiring me to use third-party repositories. If repositories could be integrated within the Qualys module, it would simplify the patching process for me. 

Additionally, there are glitches in the VMDR vulnerability section while querying for particular vulnerabilities. There are unwanted commands in the KQL which sometimes hinder my results. For example, we sometimes could get CVE IDs while running a query, but at other times, we could not.

For how long have I used the solution?

I have been working with Qualys Patch Management for around nine months.

What do I think about the stability of the solution?

As of now, I have not encountered any performance issues or stability issues.

What do I think about the scalability of the solution?

I have not faced any limitations or scalability issues.

We have more than 25K assets. We have three people to do the administrative things.

How are customer service and support?

The support team is responsive and provides detailed information. They share the required documents when we need them. They are very helpful in resolving issues. I would rate them a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Microsoft SCCM for patch management. We switched to Qualys because it centralizes vulnerability detection and patch availability, reducing our workload. We can find the vulnerabilities and see patch availability for those vulnerabilities. It saves time.

With Microsoft SCCM, we could push patches for the applications we wanted to, but with Qualys Patch Management, we could not push some third-party applications. That is the one main difference. Another thing is that whenever we ran the script, we could not see the results or outcome after running the script with Qualys Patch Management, whereas in SCCM, we could see the output of the script. These are the two main differences between Microsoft SCCM and Qualys Patch Management.

How was the initial setup?

It is a SaaS solution. I was not involved in its initial setup, but we are in the process of deploying agents in our entire organization. 

It does not require maintenance from our side. If anything is required, we raise a ticket. So far, we have faced only one issue. Usually, a Qualys agent having a newer version is automatically upgraded, but in our environment, on some machines, we are not able to see the latest version. We are working with the Qualys team to resolve it.

Which other solutions did I evaluate?

I did not evaluate any other options before choosing Qualys.

What other advice do I have?

It is a very good tool to reduce the vulnerabilities in our organization. Our current usage is about 70%, but we have started utilizing more features. We are planning to increase its license in our environment when there is an increase in the assets.

I would recommend it to others. It is a very good solution for finding vulnerabilities and patching them.

I would rate Qualys Patch Management an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Cybersecurity Engineer at a manufacturing company with 51-200 employees
Real User
Top 5
Oct 30, 2024
Vulnerability prioritization and dashboards help with efficient patch management
Pros and Cons
  • "Patch Management, if configured correctly, works effectively without requiring further action."
  • "Qualys can do regular check-ins to go over not only all the vulnerabilities but also the overall process to see if there is anything where we might need improvement."

What is our primary use case?

We use almost every module that Qualys has, except the EDR, which is endpoint protection. They came up with that module last year. We use their patch management, vulnerability scanners, cloud agents, and network passive scanners. We are using everything that is available.

How has it helped my organization?

They have a very good approach called TruRisk. If an exploit is publicly available or something is public-facing, they have an in-depth categorization process, so I do not have to think about what to patch first. Qualys take care of that. They assess them based on many factors. They have a team that works on that and goes through every aspect of the vulnerability in terms of how easily it can be exploited, and then they put a priority on it.

TruRisk automation has not helped us remediate vulnerabilities without needing to involve our security team. That is because we have been having some issues with the Windows Store app. We blocked it now but did not block it before, so it got installed on some of the machines. Because of that, we have to deal with it manually because Patch Management cannot do that. They will look for attributes, and they still exist. We cannot delete or update them because the Windows Store app is blocked, so we have to deal with those things manually.

They have a dashboard, which is very useful. I heavily rely on the dashboard. I create additional widgets if I have to, but the dashboards they have in their library are sufficient and very easy to use. I already know their language and I can build queries if necessary. 

Having this single source of truth affects the way our security and IT teams work together. Instead of me telling or sending screenshots, I can send them a link. When I send the link, others can see the exact same screen and easily drill down on endpoints.

This single source of truth helps reduce costs. It saves time, and time is always equal to money.

Patch Management has improved our patch rates. Previously, our approximate patching duration to close a vulnerability or remediate a vulnerability was almost 30 to 40 days. Right now, it does not exceed 11 days. Qualys has its own priority levels. They have priority 4, priority 3, priority 2, and priority 1 levels. Priority 4 ones are the most dangerous ones. They are patched right away. For other priorities, it was 30 to 40 days and then it was 21 days. The last one was about 14 days and now it is 11. It is a very good progress from what it was before.

I do not use their Risk Reduction Recommendation Report, but I usually go for the dashboard. The dashboard usually tells everything such as the end-of-life hardware, software, or other things. When I drill down, I can generate a report and present it to my IT colleagues and tell them that we need to get rid of this equipment or this software. We need to do something with it. This is an on-demand report, so I can put it on my schedule, and when I need it, I can generate it.

Patch Management has definitely helped to reduce our organization's risk. It is hard to provide metrics because, with the security field, you cannot be very precise about how secure you are. However, I can sleep at night and not stress about if some computer is being patched. I do not worry about situations where when you have a lot of systems, some of them you cannot patch because they have old applications. If you patch them, it will break something. I do not have that stress because I can rely on Qualys to do its job. In my previous job, I have had systems that I could not patch. I had to request a window to do the patchwork. With Qualys, I do not have to do that. There is a work/life balance. I got back my Saturdays and Sundays. In my previous job, I came to the job on Saturday and Sunday when people were not there and patched the systems. With Qualys, it is definitely not the case. We do not have to do that.

What is most valuable?

Patch Management, if configured correctly, works effectively without requiring further action. There are some applications that Patch Management cannot update, but they have a Custom Assessment and Remediation module to update third-party software. That module completes patch management, and you can now update everything.

The vulnerability scanner is solid and thorough. Vulnerability scans go through everything such as the endpoints, servers, and hardware.

What needs improvement?

They are constantly working on making it better. There is no 100% reliable or working application or software. There are caveats with the network passive sensor when it does not merge or something does not feel right, but whenever I have to report on those things, someone from their support team jumps on and tries to help us, which is why I like it. They should keep it up. 

They can maybe do check-ins with the customers once a month. All the vendors are doing it nowadays. Qualys can do regular check-ins to go over not only all the vulnerabilities but also the overall process to see if there is anything where we might need improvement. They know about the latest trends, and they have meetings about them. They can relay to us some newer information that we do not know, but they saw in our environment. That would be a nice thing.

For how long have I used the solution?

I have probably been using it for three years, give or take.

How are customer service and support?

I have interacted with them many times. Their support is good and reactive. When we needed support, it took a day or two. We can always reach out to our technical account manager. He is able to get on board with the engineers to help resolve issues, which I appreciate. If we need to fix something urgently, he can always help us.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We also use Microsoft through the GPL, and we have KACE, which checks for missing patches and applied patches, but mostly, we use Qualys. Qualys would be our single pane of glass where we see all those.

How was the initial setup?

I joined after the initial deployment was completed, but I deployed a couple of scanners, like vulnerability scanners on the VMs, and that process was easy. It was self-explanatory and straightforward. You just spin one up, put the IP address, and it works.

It does not require any maintenance. It is a cloud agent. As long as the cloud agent is installed on the endpoint, we are collecting all the information and the system is being patched. That is a good part.

What other advice do I have?

It took us some time to realize its benefits. I went to a Qualys conference, and that was when I started to realize its benefits. Till then, I thought Rapid7 was a good one or Manage Engine was a good one. I thought those products were good, and they also patch third parties whereas Qualys did not patch third parties. After going to Qualys, they explained there is a way to do that. It was a longer way, which I did not do. We decided to go with an MSP that specializes in installation and fine-tuning the Qualys product. When they did everything, I did not have to touch any configuration with Qualys Patch Management. Everything was going through. With the way we did things previously, it was going through, but it was a longer approach. It was taking a little longer and was more manual. We did not properly utilize tagging. We did not properly utilize the patching process scheduling. The MSP guys did tagging. They did automation of the patch management according to the risks. That was very important. Previously, we had six or seven jobs and sometimes, we manually patched individual machines. After the MSP guys did the fine-tuning, we had only two scheduled jobs, and that was it. The first job does 10 to 15 testing computers, and then the next one does the old machines.

I would rate Qualys Patch Management a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Sr Security Engineer at a tech services company with 10,001+ employees
Real User
Top 20
Mar 23, 2025
Supports various applications and reduces manual workload
Pros and Cons
  • "Patch Management supports various software lists when compared to Microsoft Intune. It is especially beneficial for non-Microsoft applications. I can create a schedule, and various patches can be automatically deployed."
  • "Patch management significantly helped us track and reduce vulnerabilities."
  • "It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload."
  • "I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail."

What is our primary use case?

I use Qualys Patch Management as a single platform for patch management. We have Microsoft, Adobe, and various other apps. I create a scheduled task to push all the required patches to the laptops so that they have the latest version of these apps.

We also do compliance checks to ensure that, for example, we have the golden image on our servers and laptops. We use it for scanning to ensure that configurations are correct and based on the CIS guidelines.

All our servers and laptops have the Qualys agent, and we can then push the patches to those devices.

How has it helped my organization?

Patch Management offers a patch-based approach to vulnerabilities. It helps us prioritize and schedule critical or high-severity patches to address issues.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

I use Patch Management with Qualys VMDR. After the patches are deployed, I check Qualys VMDR to verify if the issues have been addressed.

The Risk Reduction Recommendation Report is fine. It has some general information. It can give insights to people who are not familiar with the findings. I can generate a report and share it with different IT groups to help them understand the issue and the suggested solution. It can help address 70% to 80% of the issues. The rest of them might require further discussion to come up with a solution.

Patch management significantly helped us track and reduce vulnerabilities. For example, before adopting Qualys Patch Management, we found 10,000 or more vulnerabilities. We have now addressed those, limiting existing vulnerabilities to around hundreds. There is a great improvement.

What is most valuable?

Patch Management supports various software lists when compared to Microsoft Intune. It is especially beneficial for non-Microsoft applications. I can create a schedule, and various patches can be automatically deployed. There is no need to create a PowerShell script. It helps reduce the manual workload for patch deployment. 

What needs improvement?

I deploy patches to endpoints and servers every month. However, despite a job showing as successful, I need to examine the job in detail. For instance, if I have deployed patches to 100 endpoints, even though the job status says that it is successful, I still have to go deep into endpoints one by one to identify if there are some failures. It would be better if Qualys Patch Management identifies whether the process has failed at the first instance and provides a retry button or retry mechanism, allowing retries for failed patches. This feature would reduce my manual workload. 

For reporting issues, we can check if the findings are addressed in the VMDR, but to verify if the latest patches have been applied on the endpoints or servers, we have to examine scheduled jobs one by one. 

It would help if error messages were clearer about causes, like endpoints being offline. This improvement would streamline troubleshooting, helping users ensure their PCs are on when deploying patches. Fail status alerts providing specific fail details would facilitate easier checks.

For how long have I used the solution?

I have been using Qualys Patch Management for at least two years.

What do I think about the stability of the solution?

It is highly stable. I would rate it an eight out of ten for stability.

What do I think about the scalability of the solution?

We are utilizing it fully. It serves our needs.

How are customer service and support?

We get the first response to a question within two days, but when we have follow-up questions, they take longer, and the case may get dragged a little bit. It is not fit for us sometimes.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

Intune is a comparison point, but previously, we had Ivanti Patch Management. Qualys Patch Management is much better, considering the number of issues we could address with it.

How was the initial setup?

The initial setup was quite a normal process. We needed to install the appliance and establish firewall rules to allow traffic with different software. For the endpoint part, Qualys agents were installed on the machines. We had no serious challenges deploying to most endpoints or configuring the firewall.

Which other solutions did I evaluate?

I am currently conducting a patch management review and evaluating new features or products, and Qualys Patch Management still meets our requirements.

What other advice do I have?

I would rate Qualys Patch Management an eight out of ten. 

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Mubashir K - PeerSpot reviewer
Security Specialist at a photography company with 11-50 employees
Real User
Top 20
Dec 4, 2024
Enhance client security with timely insights and streamlined patch management
Pros and Cons
  • "Qualys Patch Management allows us to structure all the patches together and schedule patch management sessions."
  • "Qualys Patch Management helps reduce our client's organizational risk by 50 percent."
  • "The pricing of the solution is slightly high compared to other tools in our field."

What is our primary use case?

I am a cybersecurity engineer focused on vulnerability assessment and penetration testing. We use Qualys Patch Management to scan our client infrastructure and external-facing applications. We collect asset details from clients and perform activities using Qualys VMDR to prepare and submit reports. If vulnerabilities are detected, we conduct patch management.

We implemented Qualys Patch Management to simplify patching processes and maintain a comprehensive record of all assets, both those already patched and those requiring patching.

How has it helped my organization?

Qualys Patch Management's risk-based approach to automation is effective in addressing vulnerabilities. By configuring policies, patches are applied automatically, eliminating concerns about oversight and ensuring comprehensive mitigation.

The integration of Patch Management and VMDR is critical for medium and large organizations because it automatically includes relevant patches and configuration changes to remediate detected vulnerabilities. This allows organizations to gain clear visibility into device vulnerabilities and take immediate action to mitigate risks.

Qualys Patch Management keeps our clients informed of all security aspects. It keeps the quality up to date, with vulnerability databases and new CVEs based on the CVSS score. Clients are pleased with the insights on their security posture and any security gaps.

We use TruRisk automation and the Qualys knowledge base, with its batch management and information-sharing features, to remediate vulnerabilities without involving the security team.

Qualys Patch Management provides a centralized platform to identify, prioritize, and address vulnerabilities across all assets. This allows us to tailor vulnerability assessments and patching strategies for clients with critical assets, such as servers hosting public-facing web applications, by leveraging asset criticality tags to create dedicated sections within the platform.

Qualys Patch Management has helped improve our patch rate by 35 percent.

Qualys Patch Management helps reduce our client's organizational risk by 50 percent.

What is most valuable?

Qualys Patch Management allows us to structure all the patches together and schedule patch management sessions. If we do not need a particular patch, it can push it automatically. It provides insight into the organization's security posture and keeps databases updated with new CVEs.

What needs improvement?

The pricing of the solution is slightly high compared to other tools in our field. It’s manageable for clients, but as a service provider, it can be challenging due to the lower cost of vulnerability assessments and penetration testing.

For how long have I used the solution?

I have been using Qualys Patch Management for the past two years.

What do I think about the stability of the solution?

Qualys Patch Management is a stable solution. I would rate its stability as a ten out of ten.

What do I think about the scalability of the solution?

Scalability could be improved, as not everyone can afford it, and some may not fully understand how to use Qualys.

How are customer service and support?

During the license purchase process, there was some delay in technical communication from Qualys. 

How would you rate customer service and support?

Positive

What about the implementation team?

The deployment involved a team of six people and took about half a year.

What was our ROI?

Qualys Patch Management has saved time and resources by reducing the need for human resources. Clients are satisfied with the insights and reduced vulnerabilities over time.

What's my experience with pricing, setup cost, and licensing?

While the cost of Qualys Patch Management is slightly high compared to alternative tools, it is not excessively expensive. I would rate the pricing as a seven or eight out of ten for expense.

What other advice do I have?

I would rate Qualys Patch Management ten out of ten.

Our clients who use Qualys Patch Management are medium to enterprise-level businesses.

Qualys handles the maintenance for Patch Management.

I recommend Qualys Patch Management to others due to its ability to enhance organizational and client security posture while reducing time and costs associated with vulnerability assessment and auditing.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Principle Cloud Architect at a tech services company with 11-50 employees
Real User
Top 5Leaderboard
May 18, 2026
Risk-based patching has improved visibility and aligns security and IT teams for faster remediation
Pros and Cons
  • "Speaking about the advantages of Qualys Patch Management, it is clear that when I speak about a risk-based approach, I am in a position to assess it compared to a patch-based approach."
  • "However, in terms of scalability, it still has the potential to be better."

What is our primary use case?

I have been dealing with Qualys Patch Management for up to nine years. When speaking about the use cases, it is clear in terms of what purposes I use patch management for.

What is most valuable?

Speaking about the advantages of Qualys Patch Management, it is clear that when I speak about a risk-based approach, I am in a position to assess it compared to a patch-based approach. If I take a risk-based approach for creating automation to address risks, I would assess it positively. It is really effective.

Qualys Patch Management can give me a single source of truth for assets and vulnerabilities, and it is clear that this affects the way my security and IT team work together. I wonder if you are using the risk reduction recommendation report.

When it comes to whether it helps to see what vulnerabilities would reduce the most risk in the company, that is clear, and I wonder if you are using the integrations with CMDB and ITSM tools for ticket management.

What needs improvement?

In terms of quantifying how much it reduces the cost, I have no issues asking. You have covered many positive aspects for Qualys Patch Management, but if we speak about anything negative or any potential areas for improvement, I would say that in terms of stability, the product is very reliable and stable in general. However, in terms of scalability, it still has the potential to be better.

For how long have I used the solution?

I have been in the business since 2013.

What do I think about the stability of the solution?

In terms of stability, I would say Qualys Patch Management is very reliable and stable in general. However, in terms of scalability, it still has the potential to be better.

What do I think about the scalability of the solution?

In terms of scalability, Qualys Patch Management still has the potential to be better.

How was the initial setup?

When I discuss the deployment procedure and initial setup, I wonder if it is complex for Qualys Patch Management or quite straightforward, and whether I have my clients everything on the cloud or if there is a hybrid model.

What was our ROI?

Regarding whether it allows me to close tickets much faster, I am not sure if that is possible to quantify, but perhaps it is subjective.

What's my experience with pricing, setup cost, and licensing?

In terms of quantifying how much it reduces the cost, I have no issues asking.

Which other solutions did I evaluate?

If I compare the product with competitors, it is clear to say that the price is fair for Qualys Patch Management or if it still seems a bit expensive.

What other advice do I have?

When I think about how many years I have been working with IT products, I realize that I have been in the business since 2013.

I mentioned that I work with Qualys VMDR and if we speak about integration between these two products, I am curious about whether the solution TruRisk Automation helps remediate vulnerabilities without involving my security team. What do I think about TruRisk Automation?

When speaking about the patch rates, I am curious about how much it has reduced the organizational risk.

I would rate this review as a comprehensive assessment of Qualys Patch Management's capabilities and areas for improvement.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: May 18, 2026
Flag as inappropriate
PeerSpot user
Koketso Ditlhage - PeerSpot reviewer
Information Communication Technology Specialist at UNIVERSITY OF JOHANNESBURG
Real User
Top 10
Feb 10, 2025
Efficiently manages vulnerabilities and patch management with automated features
Pros and Cons
  • "I would give it a ten out of ten."
  • "We dislike having to pay extra. We don't mind paying for additional modules like Certificate View."

What is our primary use case?

We are in the education industry, and we perform weekly scans. On weekends, we scan our entire management, servers, and expectations. Then on Monday, I set up some weekly reports. From these, I'll have my vulnerabilities and Patch management reports showing which third-party applications I installed on users' workstations. I tested these on a Monday or Tuesday with Patch Management. If all goes well, by Wednesday or Thursday, I'm patching the rest of the environment. In terms of workstations, I scan and patch them weekly, but for servers, I wait for the Microsoft patching cycle. Only then do we patch the servers, allowing for a restart for each update. After the Microsoft updates, we can restart our servers.

What is most valuable?

The auto patch is useful. On zero-day vulnerabilities or patches, we can automatically apply those without user interference. We can drastically decrease vulnerabilities, especially third-party ones, such as a Java update that usually takes time to test on different machines. With Patch Management, machines can be grouped into test workstations, and a fix can be deployed and monitored for a day or two. If nothing goes wrong, it is deployed to all users. In Koketso Towers, you will notice about one thousand or five thousand mortgages decrease. This has helped us keep up with vulnerabilities, especially on workstations. Test management is a module added to the vulnerability management scanner, which also has the auto-fix feature. We don't usually use this on servers but on workstations. For instance, if there's a vulnerability that is not a zero-day, but something else, we can test and deploy it almost immediately from the workstation.

What needs improvement?

I do not have any major problems. I think it's working great. My recommendation would be not just for Patch Management but for Qualys itself. I am using Qualys through a third party or reseller. The issue is that when buying Qualys licenses, from my side, I'm buying for about seven thousand five hundred users or machines. I also need to buy licenses for another seven thousand five hundred for patch management. We dislike having to pay extra. We don't mind paying for additional modules like Certificate View. The test management part requires buying licenses. We are trying to negotiate with our reseller. If they can't provide us, we'll go straight to Qualys and see if they can assist.

For how long have I used the solution?

I have been using Patch Management for about six months now.

What do I think about the stability of the solution?

The solution is very stable. I have encountered no problems so far.

How are customer service and support?

We don't interact much since our service is managed. We only contact Qualys if there are serious issues. Last year, we communicated with Qualys two times when our service provider couldn't assist us in resolving one vulnerability.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We started before moving to VMDR. We used a previous version called Qualys VM, and now it's Qualys VMDR. With Qualys VM, we had access to the console.

How was the initial setup?

The setup was straightforward. We began by installing the scanner, scanning the entire environment, and then categorizing items as servers, workstations, etc., applying tags accordingly. It took us about two weeks to have it fully operational with both daily and monthly reports set up. The deployment is easy through SCCM from Microsoft, as we deploy based on our AD groups.

What other advice do I have?

I would give it a ten out of ten. It is an excellent module to have within the environment, as most environments have Windows Patch cycles, but not for third-party applications. Patch Management not only addresses third-party applications but can also patch vulnerabilities. It allows seamless deployment from the console if a patch for a vulnerability is available. I would rate the overall solution a 10 out of 10.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Download our free Qualys Patch Management Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2026
Product Categories
Patch Management
Buyer's Guide
Download our free Qualys Patch Management Report and get advice and tips from experienced pros sharing their opinions.