Qualys Patch Management Reviews

I have used this management system to remediate vulnerabilities.

There are a few vulnerabilities we can remediate very quickly. It reduces the time delay. If there are configuration-level changes, we can create and push scripts. 

It helps us increase visibility for faster remediation. 

Syncing between the MBR and patches is the feature. Another valuable feature is pushing configuration-level changes for a script, which leads to a single solution for all the changes. 

From a risk perspective, prioritization helps us more by allowing us to see the visibility of assets with more critical vulnerabilities. We can then push the patches immediately to remediate or reduce risk as soon as possible. That is the major advantage I have.

The integrations with VMware include configurations to mitigate vulnerabilities. It helps us identify permissions and whatever is applicable for the vulnerability for faster patching. 

It helps us remediate vulnerabilities without involving our security team. This helps further relieve time delays. We've saved around 50% of time with patching with Qualys.

The solution provides a single source of truth. We have everything all in one place, saving 40% of our time when compared to the older approach. We don't have to look at different platforms or move back and forth between tools between patching and validation. 

It has effective risk reduction recommendation reports. It streamlines remediation and gives us more data on the vulnerabilities. It helps us to identify the risk factors and levels of risk for increased prioritization.

Our patch rates have increased significantly. 

We've been able to reduce organizational risk by 50%.

The patch status and patch completion information should be improved. If a patch fails due to some reason, such as a Windows error, the error code that gets published should be more detailed. This would make it easier for us to identify where the issue lies, whether at the network level, machine level, or elsewhere. 

I have been using the solution for the past three years.

The stability is rated ten out of ten.

The scalability is rated ten out of ten.

I would rate technical support as nine out of ten.

Positive

I used different solutions like KACE, among others. We switched so we could use a single tool to make the process as simple as possible.

We use a hybrid cloud approach.

The setup was just about enabling a module for it. Since the system is already deployed, we only had to enable the module.

We use it across multiple locations.

There is no maintenance required once deployed.

As I said previously, it has reduced the risk by fifty percent compared to the previous solution. Everything is in SaaS.

As a single tool, it is a better choice. I would recommend the solution to other users. 

I would rate the overall solution as nine out of ten.

Initially, we were using Qualys Patch Management for TruRisk vulnerability detections. I am on the risk operations side, so I also used it to determine ways to fix a particular vulnerability and address it.

I used Patch Management with Qualys VMDR when I was doing a proof of concept with Patch management. It works well. To me, it was just a shortcut or another way to patch a system versus doing it with the job, but it was straightforward.

We were able to realize its benefits immediately. Patch Management gave my side and the security side a single pane of glass and the ability to better coordinate the delivery of patches. After using it, I felt a lot more comfortable with it. 

TruRisk gives the confidence that we are attacking the major issues, but we do leverage our security team to make the final decision. It does help.

Patch Management gives us a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated.

Currently, we are in a hybrid environment until we fully transition over. We have Ivanti and Qualys. They are two separate agents, two separate infrastructures. Moving to Qualys Patch Management gives us instant access to all of the systems we have. We do not have to worry about building up new infrastructure. We just go and start patching. It streamlines everything a lot, especially the dialogue between our teams, that is, the risk side versus the security side. It reduces confusion over patches.

Patch Management has definitely given us the opportunity to do more hands-off patching. Some in my team are manually pushing the patches out. We click a button, schedule it, and shoot it out. We are going to take advantage of zero-touch patching for browsers. We are going to do a lot more scheduled or agent-based patching. It will be hands-off. It will free us up to do more analytical things and spread ourselves out to other tasks.

Patch Management will help us reduce our organization's risk. We have not had the opportunity to start using it the way we want to. We are still early on, but just from what I see, I expect that it would have a significant impact on our ability to patch. Personally, I think the impact will be significant.

We recently got their Patch Management solution, which is the most important thing for me at this time. Previously, vulnerability detection was most valuable.

Patch Management's risk-based approach to creating automation to address risks is very important. I just came from the conference, and I understand it a lot more. It definitely is important. I like it a lot.

I would like a more clear distinction in terms of something I call a patch contract. A patch contract is a bundle of patches that we are going to roll out. I would like to reference those patches from separate jobs. They explained at a conference that it cannot be done, but that is my main complaint. I wish that the whole schema was a little bit clearer because there is a little bit of cloudiness around it. Everything else seems to be fairly straightforward.

Additionally, I know there is a cost associated with this, but it would be nice if instead of us having to roll and host our own custom files on AWS or something like that, Qualys could provide some space, even if just a gigabyte or 500 megabytes.

I have been using it for about a year or two.

Overall, I have not experienced any issues with Qualys as a whole, although the security team once mentioned something about the system being down. I will learn more as I get more and more into patching with it.

I have not yet contacted their support.

Neutral

Right now, we are using a mixture of security controls and endpoint management. I have used solutions like Ivanti, Altiris, Intune, and WSUS, among others. I have seen a lot of patch management solutions.

Ivanti is closest to Qualys. Both of them are built on the same Shavlik engine. Qualys is better for my situation because it is cloud-based. I do not have to worry about on-prem things I do right now. I am familiar with Patch Management because underneath it is the same Shavlik engine that is used by Ivanti. I am familiar with the log files and things like that.

That was the easiest thing to do. All the hard work had already been done. After the security team has the agents installed, we start working our magic. It does not get easier than that.

We have not yet fully deployed it, so I cannot say how long it takes to fully deploy it, but getting it established and started was quick.

From what I have heard, Qualys Patch Management is pricey, which is a main barrier to entry. Another aspect that I do not like about Qualys is that they do not add new patch management functionalities to the existing package. It is a separate SKU, so you have to pay more money.

I would rate Qualys Patch Management a nine out of ten.

We primarily use Patch Management in our organization for remediating vulnerabilities for which patches are supported by Qualys. 

There is a zero-touch mechanism in Qualys for patch management. For example, if we have a product for which frequent patches are released, we do not have to manually initiate a patch. It can be initiated automatically when a new patch is available.

The integration between Qualys VMDR and Patch Management allows us to monitor job statuses and ensures timely remediation. Previously, we had only the VMDR solution from Qualys. For remediation, we had to go to a different solution. There was a delay in the syncing process. With the integration of Qualys VMDR and Patch Management, we have more real-time and comprehensive data. We can see information about the status of the job and other things in a single console. We have a faster view of the remediation effort.

We also have the ability to view and select patches based on the assets. There might be hundreds of patches available in the knowledge base. It gives us patches available only for the selected assets. This saves time and reduces risk.

For vulnerability management, Qualys serves as a single source of truth, but for patch management, we have to use some more tools because Qualys does not support certain scenarios.

We have seen about 60% to 70% improvement in the patch rate so far. It has reduced the organization's risk. 

Patch Management offers pre-action and post-action features, which provide the ability to execute scripts during the installation or uninstallation of software. This helps me make changes from Qualys itself.

Not all patches are supported, so there are some restrictions. Some remediations require script-level changes which Qualys does not support. We have to manually create those scripts.

They should focus on increasing the list of supported patches. New software or data is continuously released, and it would be beneficial if patches were updated in the knowledge base more quickly. Sometimes, there are delays of three to four days, which should be addressed.

I have been using Qualys Patch Management for more than one and a half years.

I would rate the stability a nine out of ten. Occasionally, I need to change patches for certain software like Google Chrome, but overall, it is stable.

The scalability is good. It handles the requirements effectively.

We are using it at multiple locations. We have about 300k users.

I would rate their customer support a nine out of ten. Although there can be some delays, overall, the support is satisfactory.

Positive

We used a different patch management solution previously. We switched to Qualys because it integrates seamlessly with VMDR, which makes it easier to manage vulnerabilities and patching in a single console.

The initial setup was easy. We had already deployed the agent. It involved selecting the asset and enabling the module.

It does not require any maintenance from our side. It is a SaaS platform. Everything is handled by Qualys.

I would recommend Qualys Patch Management if you are integrating it with VMDR. If you are using a different solution for vulnerability management and considering Qualys solely for patch management, it might not be the best choice.

I would rate Qualys Patch Management a nine out of ten.

I initially used Qualys' Vulnerability Management module and later incorporated their Patch Management module for remediation. This allowed us to deploy patches, schedule deployments for various machines, and automate the process on a weekly or monthly basis. Critical assets receive daily deployments with real-time detection and prioritization for enhanced security.

We can prioritize vulnerabilities using Qualys' risk-based approach. The platform offers a prioritization tab that allows us to tailor the process to the company's requirements. Whether the focus is on risk, asset criticality, or exploitability, we can leverage the prioritization tag in Qualys to manage and address vulnerabilities effectively.

It's important that Qualys Patch Management and VMDR integration encompasses all necessary patches and configuration changes to address vulnerabilities identified by VMDR. This integration ensures real-time detection and remediation of vulnerabilities.

The TruRisk Insights allows us to prioritize and remediate threats without involving our security team.

Qualys Patch Management provides a single source of information to access asset and vulnerability data. Granting the IT team access to the Patch Management module lets them retrieve information through alerts. Through this module, the team receives email alerts about patch failures, enabling them to redeploy patches and investigate the cause of failure, such as machines rebooting at the scheduled time.

Qualys Patch Management helps prioritize vulnerabilities based on risk and asset criticality, facilitating the patching process. 

The integration with ServiceNow helps close tickets faster by automating tasks and alerting the IT team when a patch has failed.

Patch management provides more clarity from the dashboard and console, which is very helpful for our team to prioritize and take prior action.

Downloading extensive vulnerability reports, especially those with millions of entries, is time-consuming. To improve efficiency, Qualys should implement faster download speeds and offer reports in Excel format in addition to the current CSV option.

I have been using Qualys Patch Management for more than two years.

The customer support team is quite responsive and always ready to assist. When I submit a request, they promptly contact me and, if necessary, schedule a call to efficiently address my questions, even during my early days with the product.

Positive

Previously, we used BigFix and SSCM modules for patch application but have since transitioned to Qualys Patch Management for a more streamlined approach. Qualys Patch Management provides a single console for patch management and VMDR, simplifying operations and automating reporting.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.

By implementing this solution, we wanted to fix vulnerabilities as soon as possible in both software and operating systems. Qualys Patch Management gives us the power to solve vulnerabilities quickly and keep our environment safe.

We have not yet seen many benefits because we are still deploying patch policies. We are doing that first with a test group. We have not done 100% patch management. By next month, we will have 100% management through Qualys Patch Management. We expect to see about 99.9% of assets updated all the time. We have great expectations.

We can create rules based on risk. We do not make it 100% automatic for servers because there is a higher chance of issues, but for PCs, we can do 100% automation. Based on the risk for an operation, we can create some sort of policies.

We are deploying both Qualys Vulnerability Management and Qualys Patch Management. Qualys Vulnerability Management was deployed one month ago. For the last month, we have been working to deploy Qualys Patch Management. They are being deployed side by side. The benefit of this is that Qualys Patch Management can solve all the vulnerabilities found by Qualys Vulnerability Management. One part of the tool detects the vulnerabilities and then the other part fixes them. They work together.

Patch Management will help reduce our organization's risk, but it is hard to say how much it will reduce the risks.

Policy enforcement requires less time for my team because users cannot avoid applying updates. The user can skip two or three times or for a maximum of eight hours. After that, there is no way to avoid it. It helps us keep the environment safe.

Its implementation is too recent to make any judgments about areas needing improvement. In terms of pricing, of course, it is not free. Cheaper is always better. If possible in the future, it would be good if it is cheaper.

It has been deployed very recently and we are still in the process of deploying it throughout our organization.

So far, stability has been good with no issues.

I know that as a cloud solution, it would be easy to scale, but I do not have any experience with it. We just deployed it, so there is no need to scale at this time.

I have not had to contact support, so I cannot comment on customer service.

Neutral

We previously used Microsoft WSUS. However, it did not offer the same level of management and enforcement as Qualys Patch Management.

Qualys Patch Management gives me all kinds of management options. I have good visibility into vulnerabilities on each asset. Microsoft WSUS does not give me this sort of management level. We also could not meet the expectation of a 99.9% patch rate with Microsoft WSUS.

It is too early to determine the return on investment.

The licensing cost is more than 2,000 for the whole Americas region.

We have not integrated Qualys Patch Management with CMDB or ITSM tools for ticket management. This Qualys Patch Management deployment is done at the Americas region level, and the ITSM that we have in place is only in South America. Companies in the Americas region do not have ITSM, so there is no integration yet.

I would rate Qualys Patch Management an eight out of ten.

Mostly, I've used it because I'm working in the Vulnerability Management Team. I've done the POC for Patch Management and then handed over the product to the Patch Management Team, which handles the patching. I tested the module by Qualys, exploring the functionality of the Patch Management module, such as available patches. All these tasks were completed by me before procuring the product, and then access was provided to another team that uses it for patching. As part of the Vulnerability Management Team, my work involves overseeing the entire Qualys product, including VMDR, FedRAMP, cloud agents, and other functionalities.

The first thing I would say is the ease of use. It's so user-friendly that even a newcomer in IT can use it directly. It helps reduce our attack surface by patching all software vulnerabilities and deploying patches directly from the console. The connection and integration between different tools are excellent, allowing continuous monitoring of the types of patches released, which can be quickly deployed onto the systems. The dashboards help identify what type of patch I want to deploy and which patches are missing.

There is room for improvement in the inclusion of more patches. That's the only improvement I would suggest. Not all patches are available on Qualys, so they need to get licenses for other patches as well. That would be more helpful.

I have used the solution for 3 years.

It's quite stable. I would say it’s a nine.

Scalability, it's dependable.

Technical support, I would say it’s about seven and a half.

We used BigFix before.

For Patch Management, the testing part took about one to two weeks. Procurement took one week because it was pending with the procurement team. Overall, I guess it took about a month.

We have saved time and resources by detecting vulnerabilities, which helps us patch many assets. I can't quantify it exactly, but it's significant as it prevents vulnerabilities from being exploited. If those vulnerabilities were open and we did not have Qualys or similar solutions, we would have been at risk of attacks. I cannot give a specific number, but having a Vulnerability Management tool has a significant impact.

These two tools are completely different. BigFix is a full-fledged patching tool where you can directly apply patches but cannot view vulnerability data. On Qualys, you can see vulnerabilities and deploy patches directly. It offers a different perspective by allowing you to view a vulnerability and deploy a remedying patch. Qualys acts like both a vulnerability management tool and a patching tool, which is quite beneficial. Tools like Nessus, Rapid7 handle vulnerability management, while BigFix, SCCM handle patching.

I would recommend it because of its ease of use and integration as both a Vulnerability Management and Patch Management tool. I rate it nine out of ten.

We use Qualys Patch Management to fix patch vulnerabilities in our environment. We're dealing with machines that have pending updates, and we need to configure our console.

In Qualys, we configure Tanium, and Qualys acts as a collaborator with Tanium in our environment. We address machine details, compare with SSCM tools, and manage assets and hardware. Qualys allows us to automate and fix patches through the tool, achieving a compliance rate of over 95%.

In our environment, the application sometimes crashes, requiring improvement. Additionally, the user interface could be made easier to use, especially for system administrators.

I have been using Qualys for about one year.

We have sometimes escalated questions due to application crashes, which need improvement.

We previously worked with Microsoft Endpoint Configuration Manager (SSCM) for about two and a half years, yet faced issues with achieving target compliance.

I was not involved in the initial setup of the Qualys solution.

I am not able to give a proper answer regarding the return on investment.

I am not familiar with the pricing or setup cost of the Qualys solution.

Compared to other tools, Qualys is better due to its automation capabilities, which allow us to achieve high compliance rates. 

I rate Qualys Patch Management a ten out of ten.

Qualys Patch Management is used to address and remediate server vulnerabilities. It provides a dashboard with information on remediation steps, vulnerability severity, impact, and other relevant details. This tool effectively manages and mitigates security vulnerabilities, ensuring the security of our infrastructure.

Qualys Patch Management provides visibility into our infrastructure's security vulnerabilities, enabling us to demonstrate to external auditors that our infrastructure is secure and vulnerabilities are mitigated. This has strengthened our security posture and significantly improved our overall security.

The TrueRisk automation helps us remediate vulnerabilities without involving our security team.

Qualys Patch Management provides a single source for asset and vulnerability monitoring, allowing us to view remediation status and severity levels from a centralized dashboard.

It is user-friendly and easy to learn, even for someone without experience, enabling them to master the tool within four days.

Qualys Patch Management has helped reduce our organization's risk by 70 to 80 percent.

The most valuable feature is the ability to search for vulnerabilities using their QID. This provides comprehensive information, including severity, CVE, and impact, in an informative dashboard. This allows for a clear understanding of the scope of the infrastructure affected and the specific servers impacted.

The Qualys agent sometimes encounters authorization issues, leading to inaccurate vulnerability reports. Additionally, server updates cause duplicate assets to appear, hindering accurate asset identification.

I have been using Qualys Patch Management for approximately two and a half years.

I would rate the stability of Qualys Patch Management as nine out of ten.

I would rate the scalability of Qualys Patch Management as eight out of ten.

Qualys' technical support is good. We raised some issues, and their response was quick and effective, resolving everything on time.

Positive

The initial setup for one or two servers was straightforward and did not take much time. It was set up before I joined the organization, so my direct experience with a larger-scale setup is limited.

I would rate Qualys Patch Management eight out of ten.

We have three environments: production, development, and QA. To perform patching, we must coordinate with the application team and schedule downtime. Due to the critical nature of the business application running on the production servers, we cannot automate patching; instead, we use satellite servers.

Our organization has between 20 and 30 people who use Qualys Patch Management.

In the two and a half years I've used Qualys Patch Management, I haven't observed any need for maintenance on the tool.

Qualys Patch Management is a valuable tool for large organizations seeking to maintain a secure infrastructure.