TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · Patch ManagementInteractive · L1 / L2 / L3

Qualys VMDR Patch Management — Jobs, Rings & Zero-Touch Patching

Qualys VMDR closes the loop between detecting a vulnerability and deploying its patch — all from one platform. This lesson maps integrated patching, patch jobs, zero-touch automation, deployment rings, and how VMDR correlates CVEs directly to patches so your remediation team never has to hunt for what to apply.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Qualys VMDR Patch Management (2026): integrated patching, patch jobs, zero-touch automation, deployment rings and how VMDR correlates vulnerabilities directly to patches — all in one platform.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why integrated?

One platform from CVE to patched asset.

 2

Patch jobs

Create, schedule, deploy and verify.

 3

Rings & zero-touch

Stage rollouts, automate triggers.

 4

Correlation path

CVE → patch → verified clean.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can you patch a vulnerable asset directly from the VMDR vulnerability dashboard?

Answered in Why integrated?.

2. What is a patch job in Qualys Patch Management?

Answered in Patch jobs.

3. What does zero-touch patching do?

Answered in Rings & zero-touch.

Most engineers think…

Most people treat vulnerability scanning and patch deployment as two completely separate workflows: scan in tool A, export a CSV, create a ticket in tool B, patch manually, scan again to verify. That works at 50 assets. It falls apart at 5,000.

Qualys VMDR is built on the idea that detection and remediation live in the same platform. The vulnerability finding already knows which patch fixes it, which assets need it, and what the risk score is. Patch jobs, deployment rings and zero-touch automation turn that knowledge into automated action — closing the CVE-to-patch gap from weeks to hours.

① Why integrated patching — one platform, zero handoffs

Traditional remediation has a fatal gap: the scanner knows what is vulnerable but the patching tool does not know the risk score, and the ticketing system knows neither. Teams export CSVs, lose context, and the mean-time-to-remediate stretches into weeks. Qualys VMDR collapses that gap by keeping vulnerability data, threat intelligence, risk scoring and patch deployment in one platform.

When VMDR detects a vulnerability on an asset, it immediately looks up the patch correlation — the exact patch or configuration change that fixes it. Security and IT share the same dashboard, so remediation starts without a handoff. According to Qualys, teams using the integrated workflow reduce remediation workload by roughly 70%.

The integration is bidirectional: once a patch job finishes, VMDR re-scans the target and closes the vulnerability finding automatically, giving a clean audit trail from detection to verified fix.

Figure 1 — VMDR integrated patching loop
Qualys VMDR connects detection and patch deployment in one loop — no CSV export, no lost context.VMDR integrated patching loopDetectVMDR finds the CVECorrelateCVE matched to patchDeploypatch job firesVerifyre-scan confirms fixCloseaudit record sealed
Qualys VMDR connects detection and patch deployment in one loop — no CSV export, no lost context.
Quick check · Q1 of 10 · Understand

What is the primary benefit of integrated patching in Qualys VMDR?

Correct: b. Integrated patching means VMDR already knows which patch fixes each CVE and what the risk score is — no export, no ticket handoff. Security and IT share one dashboard and the platform verifies the fix automatically.
👉 So far: Qualys VMDR integration means: detect a CVE, see the correlated patch, deploy a patch job, verify the fix — all in one platform, no CSV handoff.

② Patch jobs — create, schedule, deploy and verify

A patch job is the core unit of remediation in Qualys Patch Management. You create one by selecting a vulnerability (or a group of assets) from the VMDR dashboard, choosing the correlated patches, defining a target asset tag or IP range, and setting a schedule or triggering it on demand. The Qualys Cloud Agent on each target receives the job, downloads the patch from a configured distribution point, installs it, and reports back status.

Key job options to know

Patch jobs can be scoped by asset tags, making targeting dynamic: add a new server with the right tag and it automatically falls into the next scheduled job.

Figure 2 — Patch job anatomy
Each Qualys patch job is built from four layers that together define what, where, when and how patches deploy.Patch job anatomyPatch selectionCVE-correlated patches from Knowledge BaseAsset targetingDynamic asset tags or IP rangesSchedule & windowTime, day, reboot policyStatus & rollbackReal-time result per asset
Each Qualys patch job is built from four layers that together define what, where, when and how patches deploy.
🔧
Patch Job
tap to flip

A scheduled or on-demand task that deploys one or more patches to a target asset group via the Qualys Cloud Agent. Controls patch window, reboot behaviour and rollback.

💡
Zero-Touch Patching
tap to flip

An automated patch job that triggers the moment Qualys detects a qualifying patch, with no human click. Linked to Prioritization report criteria such as Critical CVEs with active exploits.

🔁
Deployment Ring
tap to flip

A staged rollout wave — Ring 1 (pilot), Ring 2 (broad), Ring 3 (full estate) — that limits blast radius if a patch causes a regression.

🔗
Patch Correlation
tap to flip

The Qualys Knowledge Base mapping that links every CVE to the specific patch (KB, package, advisory) that closes it, so VMDR knows what to deploy without manual lookup.

Target assets with tags, not IP lists

Hardcoded IP lists in patch jobs break the moment an asset is rebuilt or re-addressed. Use Qualys dynamic asset tags (by OS, cloud tag, business unit) so the job target stays accurate automatically. In cloud environments where IPs change constantly, tags are the only scalable approach.

Quick check · Q2 of 10 · Apply

A new database server just received the 'Linux-Prod' asset tag. Which patch job configuration automatically includes it in future deployments?

Correct: c. Dynamic asset tags in Qualys mean the job target updates automatically as assets gain or lose the tag. A new server tagged 'Linux-Prod' is included in the next scheduled job run without any change to the job itself.
👉 So far: A patch job = patch selection + dynamic asset tags + schedule/window + reboot policy + rollback. Target with tags, not IP lists.

③ Deployment rings and zero-touch patching

Deployment rings let you stage a patch rollout in waves rather than pushing to your entire estate at once. Ring 1 (the pilot ring) targets a small group of representative assets — typically a handful of test machines or a low-criticality department. After a soak period and a pass/fail check, Ring 2 expands to a broader group, then Ring 3 rolls out to the full production estate. If a patch causes an issue in Ring 1, you halt before the damage spreads.

Zero-touch patching goes one step further: it removes the human trigger entirely. You create a zero-touch patch job linked to a Qualys Prioritization report criteria (e.g. 'any Critical severity vulnerability with an active exploit in the wild'). As soon as Qualys detects a new patch that matches the criteria for a current or future vulnerability, the job fires automatically — no one has to log in and click Deploy. This is especially valuable for fast-moving threats like zero-day exploits where speed of patching directly limits exposure.

In practice, organisations combine both: a zero-touch job targets Ring 1 immediately, then a scheduled job promotes the same patch to Ring 2 and Ring 3 after the soak period passes clean.

Figure 3 — Deployment ring rollout
Rings limit blast radius — a bad patch fails in Ring 1 before it reaches the full estate.Deployment ring rolloutRing 1 — Pilot5–10 test assets, soak24–48hRing 2 — BroadDepartment or regionRing 3 — FullEntire productionestateVerifyVMDR re-scan closesCVEs
Rings limit blast radius — a bad patch fails in Ring 1 before it reaches the full estate.
Skipping Ring 1 'because it is just a Critical patch'

Zero-touch and Critical severity both increase urgency — but never justify skipping a pilot ring. A patch that cures a CVSS 9.8 vulnerability can still crash a specific Java runtime or break a custom service. Ring 1 soak exists precisely because urgency and safety are independent dimensions.

▶ Watch a Critical CVE get patched end-to-end

Follow one CVE from VMDR detection to verified closure. Press Play for the healthy path, then Break it to see the classic failure.

① DetectVMDR scanner finds CVE-2026-XXXX on a Windows server. TruRisk scores it Critical. The correlated KB patch appears instantly in the dashboard.
② Deploy jobA zero-touch patch job fires automatically on Ring 1 (10 pilot assets). The Qualys Cloud Agent downloads the KB patch and installs within the approved maintenance window.
③ Verify ringVMDR re-scans Ring 1 after the job completes. All 10 CVE findings are closed. The job promotes automatically to Ring 2 and Ring 3.
④ Close auditRing 3 completes. All 840 CVE findings are closed in VMDR. The audit trail shows CVE detected, patch correlated, deployed, verified — timestamped throughout.
Press Play to step through the end-to-end patching path. Then press Break it.
Quick check · Q3 of 10 · Analyze

Your zero-touch patch job triggers on Ring 1 assets and the patch causes a service crash. What is the correct next step?

Correct: a. The whole point of Ring 1 is to catch failures before they reach the full estate. Halt downstream rings, use rollback on Ring 1 if the patch supports it, diagnose the regression, then re-deploy when a safe version or workaround is confirmed.
👉 So far: Deployment rings limit blast radius (Ring 1 pilot → Ring 2 broad → Ring 3 full). Zero-touch patching triggers job creation automatically when a qualifying patch is released.

④ CVE-to-patch correlation — tracing the full remediation path

The intelligence that makes integrated patching work is Qualys patch correlation: for every detected CVE, the platform identifies the specific Microsoft, Linux, or third-party patch (by KB number, package version or advisory ID) that closes it. This mapping is maintained in the Qualys Knowledge Base and updated as vendors release new patches — so when a new CVE drops, the correlated patch appears in VMDR within hours of the vendor advisory.

From the VMDR dashboard, an analyst can click a vulnerability finding, see the correlated patch, inspect which assets are missing it, and launch a patch job — all without leaving the screen. The AI Patch Reliability Score (introduced in early 2026) adds another layer: it predicts the likelihood a patch will cause a regression in your environment so you can flag risky patches for extra ring testing before rolling out broadly.

After deployment, VMDR triggers a verification scan. If the CVE finding disappears, the patch job is marked Success and the audit record is closed. If the CVE persists, the job is marked Failed and the asset stays in the remediation queue with an alert for the team. This closed-loop model — detect, correlate, deploy, verify — is what separates VMDR from bolt-on patching tools.

Figure 4 — Scheduled job vs zero-touch job
Scheduled jobs give control; zero-touch jobs give speed — use both together with rings.Scheduled job vs zero-touch jobScheduled jobHuman chooses the patchSet date/time/windowManual trigger or recurringBest for planned maintenanceZero-touch jobCriteria-driven auto-triggerFires when qualifying patchNo manual step neededBest for critical / zero-day
Scheduled jobs give control; zero-touch jobs give speed — use both together with rings.

Vikram at a Pune fintech firm faces this

A Critical CVE for a widely-used Windows library appears on 840 assets. The IT team is waiting for a change-approval ticket before they will touch anything, so estimated patching time is two weeks.

Likely cause

The vulnerability and patching workflows are siloed: Security raises a ticket in a separate tool, IT manually identifies the patch, and change-approval adds days of delay.

Diagnosis

VMDR already correlates the CVE to its patch and knows all 840 affected assets. No manual lookup is needed. The delay is process, not technical.

VMDR Dashboard ▸ Vulnerabilities ▸ Affected Assets ▸ Remediate ▸ Create Patch Job
Fix

Create a zero-touch patch job pre-scoped to a Ring 1 pilot of 20 assets with a 24-hour soak window, then auto-promote to Ring 2 (250 assets) and Ring 3 (full 840) on a clean pass. Total automated elapsed time: under 72 hours for full coverage.

Verify

VMDR re-scans after each ring completes — CVE findings disappear from all 840 assets; the audit trail shows CVE closed, patch deployed, no regressions reported in Ring 1.

Confirm the CVE is closed in VMDR, not just the job

A patch job marked 'Success' means the installer returned exit code 0 — it does not guarantee the vulnerability is gone. Qualys triggers a re-scan post-job. Check the VMDR dashboard: if the CVE finding still shows on an asset after the re-scan, the patch did not fully remediate it and needs investigation.

Quick check · Q4 of 10 · Remember

What does the Qualys AI Patch Reliability Score (2026) predict?

Correct: d. The AI Patch Reliability Score, introduced in early 2026, uses AI to predict the likelihood a patch causes a breakage in your environment — letting you flag risky patches for extra ring testing before broad rollout.
👉 So far: Patch correlation maps every CVE to its fix. After deployment, VMDR re-scans to verify — a 'job success' is not the same as 'CVE closed'. Always check the finding.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What does Qualys patch correlation map each CVE to?

Correct: b. Patch correlation in the Qualys Knowledge Base maps every CVE to the specific Microsoft KB number, Linux package update, or third-party advisory that fixes it, so VMDR can recommend the right patch without manual research.
Q6 · Understand

Which statement best describes a zero-touch patch job?

Correct: a. Zero-touch patching is criteria-driven automation: you define conditions (e.g. Critical CVE with active exploit) and Qualys fires the patch job the moment a qualifying patch is available — no login, no click required.
Q7 · Apply

You need to patch 1,200 Linux servers but want to limit risk. What is the best approach?

Correct: c. Deployment rings limit blast radius. A pilot of 20 validates the patch safely; if Ring 1 passes, Ring 2 and Ring 3 roll out with confidence. Patching all at once risks a bad patch crashing the full fleet simultaneously.
Q8 · Analyze

A patch job shows 'Success' on all 50 assets, but the CVE finding is still open on 6 of them in VMDR. What is the most likely reason?

Correct: b. A common cause is a suppressed reboot: the patch installer reports success (exit code 0) but the fix does not take effect until the system restarts. VMDR re-scans after the job and still detects the CVE until the reboot happens. Always check reboot policy when job success and CVE status disagree.
Q9 · Evaluate

An interviewer asks: 'How does Qualys VMDR reduce mean-time-to-remediate?' Best answer?

Correct: a. VMDR reduces MTTR by integrating the full detect-correlate-deploy-verify loop in one platform. No CSV export, no lost risk context, no manual lookup — the patch job is one click from the vulnerability finding, and VMDR verifies closure automatically.
Q10 · Evaluate

The AI Patch Reliability Score in Qualys (2026) is most useful for which decision?

Correct: d. The AI Patch Reliability Score predicts the probability a patch causes a regression in your specific environment. A high-risk score is a signal to soak longer in Ring 1 or run extra pre-deployment testing before promoting to the full estate — exactly the kind of decision that prevents a patch causing more downtime than the original vulnerability.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a scheduled patch job and a zero-touch patch job, and when would you use each? Then compare with the expert version.

Expert version: A scheduled patch job deploys patches at a pre-set time to a target group — you choose which patches, when they run, and which assets receive them. A zero-touch patch job removes the human trigger: you define criteria (e.g. Critical CVEs with active exploits) and Qualys fires the job automatically the moment a qualifying patch is released. Use scheduled jobs for planned maintenance cycles and lower-urgency patches; use zero-touch for fast-moving threats like zero-days where every hour of exposure matters. In practice, combine both: zero-touch fires on Ring 1 immediately, then a scheduled job promotes the same patch to Ring 2 and Ring 3 after the soak period.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Patch Job
A scheduled or on-demand Qualys task that deploys one or more patches to a target asset group via the Cloud Agent, with controls for patch window, reboot behaviour and rollback.
Zero-Touch Patching
An automated patch job that triggers without human intervention the moment a qualifying patch is released, based on criteria defined in a Prioritization report (e.g. Critical CVE with active exploit).
Deployment Ring
A staged rollout wave (Ring 1 pilot, Ring 2 broad, Ring 3 full estate) used to limit the blast radius of a bad patch before it reaches all production assets.
Patch Correlation
The Qualys Knowledge Base mapping that links every CVE to the specific patch (Microsoft KB, Linux package or third-party advisory) that closes it.
Asset Tag
A dynamic label in Qualys that groups assets by OS, cloud provider, business unit or any attribute — used to target patch jobs without hardcoding IP lists.
AI Patch Reliability Score
A Qualys AI feature (2026) that predicts the probability a specific patch will cause a regression in your environment before you deploy it, helping prioritise extra ring testing.
Patch Window
A time-of-day or day-of-week restriction on a patch job that ensures patches only install during an approved maintenance window, protecting critical services from unplanned downtime.
Verification Scan
An automatic VMDR re-scan triggered after a patch job completes to confirm whether the CVE finding is closed on each targeted asset — the definitive proof of remediation.

📚 Sources

  1. Qualys — VMDR with Patch Management product page. qualys.com/apps/vmdr-patch
  2. Qualys — Patch Management datasheet: integrated patching, patch jobs, zero-touch automation. cdn2.qualys.com/docs/mktg/qualys-patch-management-datasheet.pdf
  3. Qualys — VMDR with Patch Management solution brief. cdn2.qualys.com/docs/mktg/qualys-vmdr-with-patch-management-solution-brief-v230119.pdf
  4. Qualys Docs — Zero-Touch Patch Job: creating automated patch jobs from Prioritization reports. qualysguard.qg2.apps.qualys.com/portal-help/en/vm/threat/zero_touch_patching.htm
  5. Qualys Blog — AI-Powered Patch Reliability Scoring: predict patch impact before you deploy (Feb 2026). blog.qualys.com/product-tech/2026/02/18/new-ai-powered-patch-reliability-scoring-predict-patch-impact-before-you-deploy
  6. Qualys Docs — Patch Management: patching from VMDR, job options and deployment. docs.qualys.com/en/pm/latest/

What's next?

Got patching down? Next, go deep on Qualys TruRisk scoring — how VMDR calculates asset risk from CVSS, threat intel, exploit maturity and business criticality — and why the default CVSS score is rarely the right priority signal.

Next · All interview lessons → Practice on exam.techclick.in →