Description
* * *
#### Executive Summary
_Knowing what’s exploitable is only half the battle. P2P patch distribution turns your endpoints into a delivery network, cutting patch propagation by up to 92%, reducing WAN bandwidth by 99%+, and helping close critical vulnerabilities before attackers can move. Available now in Qualys Cloud Agent for Windows 6.5._
* * *
## The Remediation Gap is Widening
Analysis of more than **one billion CISA Known Exploited Vulnerabilities (KEV) remediation records** reveals a sobering reality for defenders: organizations are closing significantly more tickets than just a few years ago, yet the gap between identifying risk and eliminating it keeps growing.
88% of weaponized vulnerabilities remediated slower than they're exploited | 63% of critical vulnerabilities remain unpatched after 7 days | 6.5× more tickets closed than a few years ago yet exposure windows keep growing
---|---|---
The conclusion is unavoidable. The limits of human‑scale security have been reached.
While organizations have improved visibility and prioritization, remediation speed has not kept pace. The gap between identifying risk and eliminating it continues to widen, creating extended windows of exposure that attackers increasingly exploit with speed and automation. In today’s environment, vulnerability management is no longer just about visibility or ranking findings. Frameworks like **TruRisk** enable organizations to clearly identify the exposures that matter most. But prioritization alone does not reduce risk. How quickly vulnerabilities are remediated determines whether risk is reduced or realized.
* * *
**Join us on July 1 at 9 am Pacific to discover how Peer-to-Peer (P2P) patch distribution revolutionizes patch delivery into a scalable, self-optimizing system.**
Register Now
* * *
## When Prioritization Outpaces Execution
Patch management has become one of the most operationally challenging aspects of modern security programs. As environments expand across hybrid cloud, remote offices, and globally distributed endpoints, patch delivery becomes increasingly complex.
Even when organizations know exactly which vulnerabilities must be addressed first, several systemic challenges slow remediation.
Traditional patch distribution models rely heavily on centralized infrastructure such as CDNs. While effective in theory, these models create inefficiencies in enterprise patching workflows. Each endpoint retrieves patch artifacts independently, resulting in repeated downloads of identical content across thousands or tens of thousands of systems.
The impact is twofold:
* **Network strain** , particularly during coordinated patch cycles
* **Extended remediation timelines** , especially for endpoints far from centralized infrastructure
The result is a familiar pattern: TruRisk identifies which vulnerabilities matter most, but infrastructure bottlenecks delay patch delivery, leaving high‑risk exposures exploitable for longer than necessary.
## **Patch Tuesday Reality Check: Why Distribution Speed Matters**
Even when organizations prioritize correctly, execution bottlenecks quickly become visible during large patch cycles like Patch Tuesday. Here’s what Patch Tuesday costs your network team.
**Scenario:** A typical enterprise deploying a ~5 GB cumulative Windows update (e.g., recent updates such as KB5089549) across 1,000 endpoints highlights the fundamental limitation of traditional patch distribution models.
#### Traditional CDN Model: Linear and Expensive
In a centralized model, every endpoint independently downloads the same patch:
* **~5 TB of external bandwidth consumed**** (5 GB × 1,000 endpoints)**
* Significant WAN/Internet spikes during patch windows
* Congestion across office locations and remote sites
* Slower remediation, especially for distributed environments
This model scales _linearly with endpoints_ ; the larger the environment, the greater the delay and network strain.
#### Peer-to-Peer (P2P) Model: Efficient and Scalable
With P2P distribution, only a small number of endpoints initially pull from the cloud:
* **~20–50 GB total external bandwidth consumed**
* Remaining endpoints retrieve content locally over LAN
* Parallel, multi-peer distribution accelerates propagation
* **99%+ reduction in external bandwidth usage**
Once patch content enters the environment, it spreads organically; eliminating redundant downloads and dramatically improving speed.
## **Proven Performance Gains in Real-World Environments**
Recent performance testing highlights the tangible impact Peer-to-Peer (P2P) distribution can have on large patch deployments.
In a controlled environment distributing an **~8 GB feature update** , the first endpoint retrieved the patch from the cloud, acting as the initial seed. Subsequent endpoints leveraged peer-to-peer sharing to download the same content from within the network.
### **Download Performance Comparison**
Attackers exploit in hours. Traditional patch delivery takes days. P2P changes that math.
**Endpoint Role**| **Download Source**| **Time to Download**| **Speed Improvement vs CDN**
---|---|---|---
Initial Endpoint| CDN| 1h 31m 38s| Baseline
Peer Endpoint #1| Peer| 8m 57s| ~10× faster
Multi-Peer Endpoint| Multiple Peers| 3m 33s| ~25× faster
### **What This Shows**
* **Up to 92% faster download times** compared to traditional CDN-based delivery
* **Up to 25× faster patch delivery** as additional peers participate
* **75% reduction in external bandwidth usage** , with only a single initial download from the internet
As more endpoints join the patch job, distribution performance improves progressively. Instead of repeatedly pulling the same content from external sources, endpoints reuse and share patch data locally, enabling **parallel, multi-source downloads** that dramatically accelerate propagation.
This real-world pattern reinforces a key advantage of P2P. **Performance scales with participation.** The more endpoints involved, the faster patches spread across the environment without increasing strain on WAN or internet links.
## **A New Distribution Model: Peer-to-Peer** (P2P)
What if your endpoints could patch each other? With P2P in Qualys Cloud Agent, they can. Peer-to-Peer (P2P) patch distribution, available in Qualys Cloud Agent for Windows 6.5, changes how patch artifacts are distributed across enterprise environments.
Instead of relying exclusively on centralized downloads, P2P enables Cloud Agent endpoints to act as both consumers and distributors of patch content. Once a system downloads a patch, it becomes a source for nearby systems, allowing endpoints within the network to participate in patch distribution.
### How It Works
Peer-to-peer patch distribution allows endpoints to **reuse patches already in your network** , rather than repeatedly pulling the same content from the internet.
**Here’s what happens during a patch job:**
1. **The Network Learns (First endpoint seeds the local cache)**
When the patch job starts, Host 1 checks whether any nearby peers already have the patch.
No peers have it yet → Host 1 downloads the patch from the internet. The patch is then stored in its local peer cache.
2. **Reuse Replaces Re-download**
When Host 2 needs the same patch, it checks for peers first. Sees that Host 1 already has the patch. Downloads it directly from Host 1 rather than over the internet.
3. **Parallel Delivery Kicks In**
As more systems join, Host 3 can pull patch data from **multiple peers**(Host 1 and Host 2). Downloads happen in parallel, making delivery even faster. Each host also contributes back to the shared peer cache.
**What this means in practice:**
* Only the **first few systems** need to download from the internet
* Every system after that **reuses local copies**
* Patches spread quickly across the environment without overloading the network
## P2P Configuration: Simple, Centralized Control
Peer-to-peer patch distribution is designed to be easy to deploy and manage at scale through the **Qualys Cloud Agent Configuration Profile**. Instead of requiring manual setup on individual systems, administrators can enable and control P2P behavior centrally with just a few settings.
At the core is a simple **toggle** that **enables or disables P2P** per configuration profile, allowing you to selectively roll out the capability across different groups of endpoints. From there, you can fine-tune how much local storage is used for patch sharing by defining the **cache size (10–100 GB)** , ensuring endpoints contribute without overwhelming disk resources. A **retention threshold (2–30 days)** controls how long patches remain available for sharing, balancing reuse with storage efficiency.
Network behavior is also fully configurable. The **transport port (default: 4001)** is used for peer-to-peer content sharing, while an **admin port (default: 5001)** handles local coordination between nodes. These settings allow alignment with existing network and security policies without introducing complexity.
The result is a flexible, policy-driven approach that enables**, tunes, and scales P2P in minutes, **giving organizations full control over how patch content is shared without requiring new infrastructure or operational overhead.
### Security and Trust
P2P patch distribution is designed with security embedded at its core. Every patch artifact is verified using cryptographic Content Identifiers, ensuring that endpoints accept only content whose hash matches a verified hash.
All peer communication occurs within the enterprise‑controlled network boundary, such as the local area network (LAN). Endpoints do not connect to arbitrary external peers, and all participating systems are authenticated and managed by the Cloud Agent.
This model preserves enterprise‑grade trust while delivering the speed and resilience required for modern remediation.****
## ****Connecting P2P to TruRisk Eliminate****
TruRisk changed how organizations prioritize vulnerability management by focusing attention on the exposures with the highest business impact. But prioritization only delivers value when it leads to timely remediation.
P2P patch distribution directly accelerates **TruRisk Elim****inate ** by removing traditional distribution bottlenecks. Patches propagate organically across the environment, reaching endpoints faster, consuming less bandwidth, and enabling large‑scale remediation without centralized choke points.
The impact is measurable:
* Faster delivery of critical patches
* Reduced time‑to‑remediation for high‑risk vulnerabilities
* Parallel execution across large endpoint populations
In practical terms, vulnerability management shifts from a reactive, infrastructure‑bound process to a self‑optimizing remediation system. Risk is not just identified; it is eliminated faster and more consistently.
### **Key Benefits**
Peer‑to‑Peer patch distribution introduces architectural advantages that directly support risk reduction:
* **99%+ WAN Bandwidth Savings**
Eliminates redundant downloads from the centralized infrastructure.
* **Up to 92% Faster Patch Delivery**
Patch chunks are downloaded simultaneously from multiple peers.
* **Up to 25× Speed with Multi-Peer**
No single point of failure. If one peer is unavailable, others continue distribution.
* **Tamper-Proof Delivery**
Cryptographic CIDs ensure only validated, tamper-proof content is shared.
* **Zero Infrastructure Overhead**
Endpoints automatically discover and optimize sharing within the LAN without manual configuration.
* **Elimination of Redundant Network Traffic**
Once a patch enters a network segment, it can be reused by all systems within it.
## **Peer‑to‑Peer (P2P) vs. Qualys Gateway Service (QGS): When to Use Which**
Peer‑to‑Peer (P2P) patch distribution and Qualys Gateway Service (QGS) both help optimize patch delivery, but they are designed for different operational needs.
QGS centralizes Cloud Agent communications through a secure gateway, providing patch caching, TLS termination, and simplified egress control. It is best suited for organizations that want centralized agent connectivity and predictable traffic flows.
P2P patch distribution focuses on speed and scale of remediation. Once patch content enters the environment, either directly or through QGS, endpoints distribute it locally, reducing internal bottlenecks and accelerating large patch cycles.
In many environments, the two technologies are complementary: QGS provides a controlled entry point for agent communication, while P2P rapidly distributes patches across endpoints within the network.
### Quick Decision Matrix
### **Rule of Thumb**
The two technologies solve different operational challenges and are often strongest when used together:
* Use QGS for _centralized connectivity and caching_
* Use P2P for _fast, at‑scale patch execution_
* Use both to combine control at the edge with speed inside the network
## **A Shift Toward Faster Risk Elimination**
The combination of TruRisk prioritization, autonomous decision-making models, and P2P distribution represents a fundamental shift in vulnerability management.
It is no longer enough to understand risk. Modern security maturity is defined by how quickly and reliably risk can be eliminated at scale.
P2P does not replace existing patching mechanisms. It removes the distribution ceiling that has historically slowed remediation. In a world where attackers operate at machine speed, defenders must do the same.
## **Final Thought**
As attack surfaces expand and exploitation timelines compress, the organizations that succeed will be those that close the gap between prioritization and action.
TruRisk tells you what matters. P2P ensures it gets fixed before the window closes.
## **Get the Capability**
Already a Qualys Patch Management customer? Enable P2P distribution today with a single toggle. Contact your TAM to get started.
New to Qualys? **Request a Demo**.
## Frequently Asked Questions
**What is peer-to-peer patch distribution, and how does it work?**
Peer-to-peer (P2P) patch distribution allows Qualys Cloud Agent endpoints to act as both consumers and distributors of patch content. Once a system downloads a patch, it becomes a source for nearby systems within the same network segment. Patch files are split into chunks and downloaded in parallel from multiple peers.
**Is P2P patch distribution secure? How is patch integrity verified?**
Yes. Security is embedded at the core of the P2P model. Every patch artifact is verified using cryptographic Content Identifiers (CIDs), and endpoints accept content only if its hash matches the verified CID. All peer communication occurs within the enterprise-controlled network boundary (LAN). Endpoints do not connect to arbitrary external peers, and all participating systems are authenticated and managed by the Qualys Cloud Agent. This preserves the enterprise-grade trust while delivering the speed and resilience of distributed delivery.
**What is the difference between P2P patch distribution and Qualys Gateway Service (QGS)?**
P2P patch distribution and QGS solve different operational problems. QGS centralizes Cloud Agent communications through a secure gateway, providing patch caching, TLS termination for legacy operating systems, and simplified egress control. It supports all Qualys sensor types. P2P focuses on the speed and scale of remediation: once the patch content enters the environment (including via QGS), endpoints distribute it locally to reduce internal bottlenecks and accelerate large patch cycles. The two are complementary and often strongest when deployed together.
**How does P2P patch distribution accelerate**TruRisk Eliminate**?**
TruRisk identifies the vulnerabilities with the highest business impact, but prioritization only delivers value when it leads to timely remediation. P2P patch distribution removes the distribution bottlenecks that traditionally slow delivery after prioritization patches propagate organically across the environment, reaching endpoints faster and enabling parallel execution across large endpoint populations. This closes the gap between knowing what must be fixed and actually fixing it, reducing the time to remediate high-risk vulnerabilities at scale.
**Which systems and versions support P2P patch distribution?**
Peer-to-peer patch distribution is available on Qualys Cloud Agent for Windows 6.5. P2P currently supports agent-managed endpoints; it does not apply to other Qualys sensor types, such as scanners or container sensors (use QGS for those use cases). Endpoints automatically discover and optimize sharing within the local area network without requiring manual configuration.
#### Executive Summary
_Knowing what’s exploitable is only half the battle. P2P patch distribution turns your endpoints into a delivery network, cutting patch propagation by up to 92%, reducing WAN bandwidth by 99%+, and helping close critical vulnerabilities before attackers can move. Available now in Qualys Cloud Agent for Windows 6.5._
* * *
## The Remediation Gap is Widening
Analysis of more than **one billion CISA Known Exploited Vulnerabilities (KEV) remediation records** reveals a sobering reality for defenders: organizations are closing significantly more tickets than just a few years ago, yet the gap between identifying risk and eliminating it keeps growing.
88% of weaponized vulnerabilities remediated slower than they're exploited | 63% of critical vulnerabilities remain unpatched after 7 days | 6.5× more tickets closed than a few years ago yet exposure windows keep growing
---|---|---
The conclusion is unavoidable. The limits of human‑scale security have been reached.
While organizations have improved visibility and prioritization, remediation speed has not kept pace. The gap between identifying risk and eliminating it continues to widen, creating extended windows of exposure that attackers increasingly exploit with speed and automation. In today’s environment, vulnerability management is no longer just about visibility or ranking findings. Frameworks like **TruRisk** enable organizations to clearly identify the exposures that matter most. But prioritization alone does not reduce risk. How quickly vulnerabilities are remediated determines whether risk is reduced or realized.
* * *
**Join us on July 1 at 9 am Pacific to discover how Peer-to-Peer (P2P) patch distribution revolutionizes patch delivery into a scalable, self-optimizing system.**
Register Now
* * *
## When Prioritization Outpaces Execution
Patch management has become one of the most operationally challenging aspects of modern security programs. As environments expand across hybrid cloud, remote offices, and globally distributed endpoints, patch delivery becomes increasingly complex.
Even when organizations know exactly which vulnerabilities must be addressed first, several systemic challenges slow remediation.
Traditional patch distribution models rely heavily on centralized infrastructure such as CDNs. While effective in theory, these models create inefficiencies in enterprise patching workflows. Each endpoint retrieves patch artifacts independently, resulting in repeated downloads of identical content across thousands or tens of thousands of systems.
The impact is twofold:
* **Network strain** , particularly during coordinated patch cycles
* **Extended remediation timelines** , especially for endpoints far from centralized infrastructure
The result is a familiar pattern: TruRisk identifies which vulnerabilities matter most, but infrastructure bottlenecks delay patch delivery, leaving high‑risk exposures exploitable for longer than necessary.
## **Patch Tuesday Reality Check: Why Distribution Speed Matters**
Even when organizations prioritize correctly, execution bottlenecks quickly become visible during large patch cycles like Patch Tuesday. Here’s what Patch Tuesday costs your network team.
**Scenario:** A typical enterprise deploying a ~5 GB cumulative Windows update (e.g., recent updates such as KB5089549) across 1,000 endpoints highlights the fundamental limitation of traditional patch distribution models.
#### Traditional CDN Model: Linear and Expensive
In a centralized model, every endpoint independently downloads the same patch:
* **~5 TB of external bandwidth consumed**** (5 GB × 1,000 endpoints)**
* Significant WAN/Internet spikes during patch windows
* Congestion across office locations and remote sites
* Slower remediation, especially for distributed environments
This model scales _linearly with endpoints_ ; the larger the environment, the greater the delay and network strain.
#### Peer-to-Peer (P2P) Model: Efficient and Scalable
With P2P distribution, only a small number of endpoints initially pull from the cloud:
* **~20–50 GB total external bandwidth consumed**
* Remaining endpoints retrieve content locally over LAN
* Parallel, multi-peer distribution accelerates propagation
* **99%+ reduction in external bandwidth usage**
Once patch content enters the environment, it spreads organically; eliminating redundant downloads and dramatically improving speed.
## **Proven Performance Gains in Real-World Environments**
Recent performance testing highlights the tangible impact Peer-to-Peer (P2P) distribution can have on large patch deployments.
In a controlled environment distributing an **~8 GB feature update** , the first endpoint retrieved the patch from the cloud, acting as the initial seed. Subsequent endpoints leveraged peer-to-peer sharing to download the same content from within the network.
### **Download Performance Comparison**
Attackers exploit in hours. Traditional patch delivery takes days. P2P changes that math.
**Endpoint Role**| **Download Source**| **Time to Download**| **Speed Improvement vs CDN**
---|---|---|---
Initial Endpoint| CDN| 1h 31m 38s| Baseline
Peer Endpoint #1| Peer| 8m 57s| ~10× faster
Multi-Peer Endpoint| Multiple Peers| 3m 33s| ~25× faster
### **What This Shows**
* **Up to 92% faster download times** compared to traditional CDN-based delivery
* **Up to 25× faster patch delivery** as additional peers participate
* **75% reduction in external bandwidth usage** , with only a single initial download from the internet
As more endpoints join the patch job, distribution performance improves progressively. Instead of repeatedly pulling the same content from external sources, endpoints reuse and share patch data locally, enabling **parallel, multi-source downloads** that dramatically accelerate propagation.
This real-world pattern reinforces a key advantage of P2P. **Performance scales with participation.** The more endpoints involved, the faster patches spread across the environment without increasing strain on WAN or internet links.
## **A New Distribution Model: Peer-to-Peer** (P2P)
What if your endpoints could patch each other? With P2P in Qualys Cloud Agent, they can. Peer-to-Peer (P2P) patch distribution, available in Qualys Cloud Agent for Windows 6.5, changes how patch artifacts are distributed across enterprise environments.
Instead of relying exclusively on centralized downloads, P2P enables Cloud Agent endpoints to act as both consumers and distributors of patch content. Once a system downloads a patch, it becomes a source for nearby systems, allowing endpoints within the network to participate in patch distribution.
### How It Works
Peer-to-peer patch distribution allows endpoints to **reuse patches already in your network** , rather than repeatedly pulling the same content from the internet.
**Here’s what happens during a patch job:**
1. **The Network Learns (First endpoint seeds the local cache)**
When the patch job starts, Host 1 checks whether any nearby peers already have the patch.
No peers have it yet → Host 1 downloads the patch from the internet. The patch is then stored in its local peer cache.
2. **Reuse Replaces Re-download**
When Host 2 needs the same patch, it checks for peers first. Sees that Host 1 already has the patch. Downloads it directly from Host 1 rather than over the internet.
3. **Parallel Delivery Kicks In**
As more systems join, Host 3 can pull patch data from **multiple peers**(Host 1 and Host 2). Downloads happen in parallel, making delivery even faster. Each host also contributes back to the shared peer cache.
**What this means in practice:**
* Only the **first few systems** need to download from the internet
* Every system after that **reuses local copies**
* Patches spread quickly across the environment without overloading the network
## P2P Configuration: Simple, Centralized Control
Peer-to-peer patch distribution is designed to be easy to deploy and manage at scale through the **Qualys Cloud Agent Configuration Profile**. Instead of requiring manual setup on individual systems, administrators can enable and control P2P behavior centrally with just a few settings.
At the core is a simple **toggle** that **enables or disables P2P** per configuration profile, allowing you to selectively roll out the capability across different groups of endpoints. From there, you can fine-tune how much local storage is used for patch sharing by defining the **cache size (10–100 GB)** , ensuring endpoints contribute without overwhelming disk resources. A **retention threshold (2–30 days)** controls how long patches remain available for sharing, balancing reuse with storage efficiency.
Network behavior is also fully configurable. The **transport port (default: 4001)** is used for peer-to-peer content sharing, while an **admin port (default: 5001)** handles local coordination between nodes. These settings allow alignment with existing network and security policies without introducing complexity.
The result is a flexible, policy-driven approach that enables**, tunes, and scales P2P in minutes, **giving organizations full control over how patch content is shared without requiring new infrastructure or operational overhead.
### Security and Trust
P2P patch distribution is designed with security embedded at its core. Every patch artifact is verified using cryptographic Content Identifiers, ensuring that endpoints accept only content whose hash matches a verified hash.
All peer communication occurs within the enterprise‑controlled network boundary, such as the local area network (LAN). Endpoints do not connect to arbitrary external peers, and all participating systems are authenticated and managed by the Cloud Agent.
This model preserves enterprise‑grade trust while delivering the speed and resilience required for modern remediation.****
## ****Connecting P2P to TruRisk Eliminate****
TruRisk changed how organizations prioritize vulnerability management by focusing attention on the exposures with the highest business impact. But prioritization only delivers value when it leads to timely remediation.
P2P patch distribution directly accelerates **TruRisk Elim****inate ** by removing traditional distribution bottlenecks. Patches propagate organically across the environment, reaching endpoints faster, consuming less bandwidth, and enabling large‑scale remediation without centralized choke points.
The impact is measurable:
* Faster delivery of critical patches
* Reduced time‑to‑remediation for high‑risk vulnerabilities
* Parallel execution across large endpoint populations
In practical terms, vulnerability management shifts from a reactive, infrastructure‑bound process to a self‑optimizing remediation system. Risk is not just identified; it is eliminated faster and more consistently.
### **Key Benefits**
Peer‑to‑Peer patch distribution introduces architectural advantages that directly support risk reduction:
* **99%+ WAN Bandwidth Savings**
Eliminates redundant downloads from the centralized infrastructure.
* **Up to 92% Faster Patch Delivery**
Patch chunks are downloaded simultaneously from multiple peers.
* **Up to 25× Speed with Multi-Peer**
No single point of failure. If one peer is unavailable, others continue distribution.
* **Tamper-Proof Delivery**
Cryptographic CIDs ensure only validated, tamper-proof content is shared.
* **Zero Infrastructure Overhead**
Endpoints automatically discover and optimize sharing within the LAN without manual configuration.
* **Elimination of Redundant Network Traffic**
Once a patch enters a network segment, it can be reused by all systems within it.
## **Peer‑to‑Peer (P2P) vs. Qualys Gateway Service (QGS): When to Use Which**
Peer‑to‑Peer (P2P) patch distribution and Qualys Gateway Service (QGS) both help optimize patch delivery, but they are designed for different operational needs.
QGS centralizes Cloud Agent communications through a secure gateway, providing patch caching, TLS termination, and simplified egress control. It is best suited for organizations that want centralized agent connectivity and predictable traffic flows.
P2P patch distribution focuses on speed and scale of remediation. Once patch content enters the environment, either directly or through QGS, endpoints distribute it locally, reducing internal bottlenecks and accelerating large patch cycles.
In many environments, the two technologies are complementary: QGS provides a controlled entry point for agent communication, while P2P rapidly distributes patches across endpoints within the network.
### Quick Decision Matrix
### **Rule of Thumb**
The two technologies solve different operational challenges and are often strongest when used together:
* Use QGS for _centralized connectivity and caching_
* Use P2P for _fast, at‑scale patch execution_
* Use both to combine control at the edge with speed inside the network
## **A Shift Toward Faster Risk Elimination**
The combination of TruRisk prioritization, autonomous decision-making models, and P2P distribution represents a fundamental shift in vulnerability management.
It is no longer enough to understand risk. Modern security maturity is defined by how quickly and reliably risk can be eliminated at scale.
P2P does not replace existing patching mechanisms. It removes the distribution ceiling that has historically slowed remediation. In a world where attackers operate at machine speed, defenders must do the same.
## **Final Thought**
As attack surfaces expand and exploitation timelines compress, the organizations that succeed will be those that close the gap between prioritization and action.
TruRisk tells you what matters. P2P ensures it gets fixed before the window closes.
## **Get the Capability**
Already a Qualys Patch Management customer? Enable P2P distribution today with a single toggle. Contact your TAM to get started.
New to Qualys? **Request a Demo**.
## Frequently Asked Questions
**What is peer-to-peer patch distribution, and how does it work?**
Peer-to-peer (P2P) patch distribution allows Qualys Cloud Agent endpoints to act as both consumers and distributors of patch content. Once a system downloads a patch, it becomes a source for nearby systems within the same network segment. Patch files are split into chunks and downloaded in parallel from multiple peers.
**Is P2P patch distribution secure? How is patch integrity verified?**
Yes. Security is embedded at the core of the P2P model. Every patch artifact is verified using cryptographic Content Identifiers (CIDs), and endpoints accept content only if its hash matches the verified CID. All peer communication occurs within the enterprise-controlled network boundary (LAN). Endpoints do not connect to arbitrary external peers, and all participating systems are authenticated and managed by the Qualys Cloud Agent. This preserves the enterprise-grade trust while delivering the speed and resilience of distributed delivery.
**What is the difference between P2P patch distribution and Qualys Gateway Service (QGS)?**
P2P patch distribution and QGS solve different operational problems. QGS centralizes Cloud Agent communications through a secure gateway, providing patch caching, TLS termination for legacy operating systems, and simplified egress control. It supports all Qualys sensor types. P2P focuses on the speed and scale of remediation: once the patch content enters the environment (including via QGS), endpoints distribute it locally to reduce internal bottlenecks and accelerate large patch cycles. The two are complementary and often strongest when deployed together.
**How does P2P patch distribution accelerate**TruRisk Eliminate**?**
TruRisk identifies the vulnerabilities with the highest business impact, but prioritization only delivers value when it leads to timely remediation. P2P patch distribution removes the distribution bottlenecks that traditionally slow delivery after prioritization patches propagate organically across the environment, reaching endpoints faster and enabling parallel execution across large endpoint populations. This closes the gap between knowing what must be fixed and actually fixing it, reducing the time to remediate high-risk vulnerabilities at scale.
**Which systems and versions support P2P patch distribution?**
Peer-to-peer patch distribution is available on Qualys Cloud Agent for Windows 6.5. P2P currently supports agent-managed endpoints; it does not apply to other Qualys sensor types, such as scanners or container sensors (use QGS for those use cases). Endpoints automatically discover and optimize sharing within the local area network without requiring manual configuration.
Basic Information
ID
QUALYSBLOG:CB6AB0F22D373D44641F0A459EDB5DFD
Published
Jun 3, 2026 at 15:00