Stop chasing patch status across every console you own.
PatchMon Cloud gives in-house IT teams one managed dashboard for Linux, Windows, and FreeBSD patch state, with CIS compliance scans built in. Start a free trial, install the agent on your first host, and see every box in one place.
Why internal IT choose PatchMon
Most patch tooling either assumes a single Windows fleet or is priced for MSPs billing multiple clients. PatchMon is built for one organisation running a real mixed estate.
One dashboard, every OS
See every host's patch status, OS, and pending updates across Linux, Windows, and FreeBSD in a single pane.
Cloud you can trust
PatchMon Cloud runs on isolated per-customer storage with automated backups. No shared multi-tenant database, no vendor fishing through your inventory.
Alerts that reach you first
Slack, Discord, email, and ntfy alerts fire the moment a host breaches your patch threshold, not days later.
Patch-age thresholds per environment
Set different thresholds for production, staging, and desktop fleets. A single rule set rarely fits every tier.
CIS benchmarks built in
Run OpenSCAP CIS scans and Docker Bench checks from the same dashboard. Export the results as your quarterly compliance evidence.
Managed service, predictable pricing
Run it on PatchMon Cloud and we handle uptime, upgrades, and backups. Scale from a pilot to the full estate without changing tools.
The state of patch visibility in most IT teams
Patch state lives in at least four places. Linux servers report through whatever the distro ships: unattended-upgrades logs, dnf automatic, or nothing at all. Windows desktops and servers feed into Microsoft native tooling. Containers drift inside Kubernetes and Docker hosts. macOS laptops sit on MDM. Nobody has a single view across all of them.
When a CVE drops on a Friday, the on-call engineer logs into five consoles, exports four CSVs, and starts a spreadsheet. Compliance reporting is the same exercise, quarterly, with a different deadline. Everybody knows it is broken; the reason it stays broken is that every tool that claims to fix it assumes an MSP billing model and treats Linux as a bolt-on.
PatchMon exists for the team on the other side of that problem: a small-to-midsized IT group running a mixed estate for one organisation, who need one dashboard, one alerting pipeline, and one compliance report, with transparent per-host pricing.
What you get out of the box
Pick the tier that matches what your team needs: Starter for core monitoring, Plus for patch automation and Docker monitoring, Max for browser SSH/RDP, compliance scanning, and the BYO-AI terminal assistant. Transparent per-host pricing, no minimums, no contracts on monthly plans. See the full tier comparison on the pricing page.
- APT, DNF, YUM, APK, and Pacman package managers on Linux
- Windows Update Agent integration for patch state visibility (Windows deploy on roadmap)
- FreeBSD pkg package visibility with the same agent binary
- OIDC single sign-on (Authentik, Keycloak, Okta, Azure AD, Google)
- Role-based access control so desk-side staff do not get server access
- OpenSCAP CIS benchmark scans scheduled per host group
- Docker Bench compliance for any containerised workloads you run
- SSH and RDP through the browser via Guacamole, audit-logged
- Webhook, email, Slack, Discord, and ntfy notifications
- Full REST API and documented agent protocol for automation
Why not just buy an RMM?
Most RMM tools (Datto, NinjaOne, Atera, ConnectWise) are built for MSPs billing multiple clients. Internal IT teams buying those products pay for multi-client complexity they will never use, and get Linux coverage that was added after the fact. Pricing is per host per month with no transparent tier structure.
PatchMon takes a different angle. Transparent per-host Cloud pricing from $1/host/month, Linux first-class parity, FreeBSD supported through the same agent, and Windows patch state visibility (deployment on the roadmap). The managed service includes upgrades, backups, and isolated storage, so you get the dashboard without babysitting another stack.
How an internal IT team rolls it out
A typical deployment moves from zero to full-fleet visibility in a working day. Most of the time is agent rollout, not platform setup.
Start your Cloud trial
Sign up for a free trial on PatchMon Cloud. Your instance is provisioned automatically, so there is no infrastructure to stand up or firewalls to open.
Install the agent on your first host
One-line curl or PowerShell install. The Go agent runs on every major Linux distro, plus Windows and FreeBSD, reporting outbound over WebSocket.
Review your patch landscape
The dashboard surfaces pending patches, patch-age thresholds, CIS compliance status, and Docker state across every host. Wire in OIDC SSO so the whole team logs in with existing credentials.
Approve and roll out
Define patch-age thresholds per environment, set maintenance windows, and use approval workflows and the full audit trail to satisfy change management.
Internal IT FAQ
Does PatchMon work with Active Directory or our existing SSO?
Yes. PatchMon supports OIDC single sign-on with any standards-compliant identity provider, including Authentik, Keycloak, Okta, Azure AD, and Google Workspace. Role and group mappings are configured per identity provider, so your existing AD groups can map directly to PatchMon roles without duplicating user management.
How quickly can we be up and running?
Cloud trial signup takes a couple of minutes, your instance is provisioned automatically, and you can have your first host reporting within the hour. A typical internal IT team rolls agents out to the whole estate inside a single working day.
How does PatchMon compare to Datto RMM, NinjaOne, or Automox?
Those tools are built primarily for MSPs billing multiple clients, with Linux support that is often an afterthought. PatchMon is designed for teams that treat Linux, Windows, and BSD as first-class. Cloud pricing is transparent per-host, starting at $1/host/month, with volume discounts for larger fleets.
What does the agent footprint look like on each host?
The Go agent is a single static binary with a resident memory ceiling around 100MB and two reserved CPU threads. It connects outbound over WebSocket, so no inbound firewall rules are needed on monitored hosts. Reporting intervals are configurable, and the agent runs as a systemd, launchd, or Windows service.
Do you support restricted-egress networks?
Yes. Agents connect outbound over a single WebSocket to your Cloud instance, so you control the one hostname and port that need to be allowed through the firewall. No inbound rules, no listening ports on monitored hosts.
Book a demo
15-minute call, no sales pitch. We'll show you the dashboard, agent deployment, and answer your questions.
Iframe blocked? Book directly at cal.com/9-technology-group/patchmon-demo.
Ready to see every host in one place?
Start a free PatchMon Cloud trial. No infrastructure to provision, no credit card required to kick the tyres.