SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
It ops room screens risk gauges server rack predictive patch view
#
DataCentre infrastructure
#
Data Analytics
#
Digital Transformation

Qualys adds AI tool to forecast software patch risks

Fri, 13th Mar 2026
Author image
By Sofiah Nichole Salivio, News Editor

Qualys has added an AI-powered Patch Reliability Score to its TruRisk Eliminate product, positioning it as a way for IT and security teams to assess the operational risk of software patches before deployment.

Patching remains a persistent challenge for organisations that need to close critical vulnerabilities quickly without triggering outages or instability. Faulty updates can lead to rollbacks, downtime, and emergency change windows. They can also create new exposure when teams pause patching while restoring services.

The new feature uses AI to estimate how likely a patch is to cause disruption in a specific environment. It produces a reliability score intended to help teams decide whether to deploy immediately or schedule additional testing and a phased rollout.

How scoring works

The reliability engine reviews feedback signals from public internet sources, including technical discussions, release feedback, and post-release indicators observed after patches ship.

Instead of providing a one-time assessment, the engine starts scoring immediately after release and continues over time. The score updates as new information emerges in the weeks and months after a patch is issued.

Qualys positions the score as a simple decision prompt: a high score suggests greater confidence to deploy sooner, while a low score indicates the need for extra testing, a staged rollout, or a delay in broad deployment.

"Patch rollbacks aren't just inconvenient - they're disruptive. They burn time, trigger outages and create security gaps while teams scramble to stabilize production. And as patch volumes and critical vulnerabilities keep rising, the old approach of 'deploy and hope' or 'test everything forever' doesn't scale," said Eran Livne, Senior Director of Product Management at Qualys.

Why it matters

Operational reliability is becoming a bigger concern as patch frequency rises across operating systems and widely used applications. Many organisations now run weekly or even daily patch cycles across endpoints, servers, cloud workloads, and containers, putting pressure on change management and testing capacity.

Security teams must balance speed with stability. When exploitation is active or a vulnerability is rated highly severe, delaying patches increases exposure. When a patch causes faults, teams can lose time restoring services and may defer other remediation work.

Reliability is also critical for automated patching programmes. Many organisations have expanded automation to cope with scale, but automation increases the blast radius of a problematic update. As a result, tools that flag risk earlier in the process are drawing attention from IT operations and security teams.

Validation examples

Qualys pointed to anonymised telemetry from 2025 to illustrate the prevalence of rollback-prone patches. It cited Ubuntu advisory USN-7545-1 and several Microsoft Windows updates - including KB5065426, KB5063878, KB5055523, and KB5066835 - as among the most frequently rolled back in the dataset.

Qualys linked those rollbacks to connectivity issues and broader system behaviour problems, as well as installation and uninstall complications, deployment failures, and post-deployment faults.

Qualys Research reviewed the patches as part of model validation and said the AI rated them "Low Reliability," aligning with what teams experienced after deployment.

Mitigation approach

Qualys also described a workflow for cases where a critical vulnerability exists but the related patch receives a low reliability score. In those situations, organisations can apply Qualys-curated mitigation techniques as an interim step while teams test further or stage a safer deployment.

This reflects a common industry approach during high-risk periods: compensating controls, configuration changes, or other mitigations can reduce exposure while operations teams work through patch risk. It also acknowledges that some environments - such as industrial systems or tightly controlled production systems - cannot absorb rapid change even when vulnerabilities are serious.

Product context

The Patch Reliability Score is part of TruRisk Eliminate within the Qualys platform. Qualys sells cloud-based IT, security, and compliance products, including risk and vulnerability management tools, compliance capabilities, and asset visibility across endpoints, servers, and cloud environments.

The AI-powered Patch Reliability Score is available to Qualys Eliminate customers in the platform. Organisations not using Eliminate can request a trial through their Qualys technical account manager.

"Patch rollbacks aren't just inconvenient - they're disruptive. They burn time, trigger outages and create security gaps while teams scramble to stabilize production. And as patch volumes and critical vulnerabilities keep rising, the old approach of 'deploy and hope' or 'test everything forever' doesn't scale," said Livne.
Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
ISACA launches AI risk certification amid governance gap
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack