Skip to main content
PathMon
For SaaS platforms running on Linux

Patch management for SaaS platforms running on Linux.

Keep your customers safe by keeping your infrastructure patched. Monitor and deploy Linux and FreeBSD patches across your entire production fleet from a single dashboard, with audit-ready reporting for SOC 2, ISO 27001, and customer security reviews.

Start a 14-day trialBook a demo

The SaaS patch problem

Your product is only as secure as the Linux hosts it runs on. An unpatched CVE in your infrastructure is an unpatched CVE in every customer workload on top of it.

Unpatched CVEs become your customers' breach

When a kernel, OpenSSL, or Docker CVE lands, your customers are exposed through your infrastructure. If you are slow to patch, the incident belongs to your product, not to upstream.

Auditors ask for patch cadence and evidence

SOC 2, ISO 27001, and customer security questionnaires all ask the same thing: how quickly do you patch critical CVEs, and can you prove it. Spreadsheets and ad-hoc shell scripts do not hold up under review.

Ops time spent chasing advisories

Tracking Debian security advisories, Ubuntu USNs, Alpine updates, and kernel CVEs across EC2, Hetzner, Digital Ocean, and bare-metal boxes is not a one-afternoon job. It is a permanent tax on a small ops team.

End-customer trust erodes fast after a public CVE

A week of social-media posts asking whether you patched Heartbleed 2.0 is a week you are not shipping product. Being demonstrably quick to patch turns a crisis into a non-event.

What PatchMon gives a SaaS ops team

Built around Linux heterogeneity, production change windows, and the evidence auditors and security reviewers actually ask for.

Continuous patch monitoring across your whole fleet

APT, DNF, APK, Pacman, and FreeBSD pkg covered by a single agent. Every production host, from Debian on EC2 to Alpine on Hetzner, reports into the same dashboard so nothing falls through the cracks.

Scheduled deployment with approval gates

Patch during your change windows, not during business hours. Define maintenance windows per host group, require approvals before production rollouts, and roll forward in stages with per-group sequencing.

Audit-ready reporting for SOC 2 and ISO 27001

Scheduled reports, full patch history, CVE coverage, and CIS or STIG benchmark scans via OpenSCAP. Answer questionnaires and auditors with exported evidence rather than a fresh shell script.

Docker monitoring for container-heavy stacks

Track container image versions, volumes, and networks alongside host patch state. Container-heavy SaaS stacks get the same visibility as the host fleet, from the same agent.

How a SaaS team rolls it out

Pilot on a small group of hosts, prove the workflow fits your change process, then expand to the whole production fleet.

1

Sign up for a free Cloud trial

Cloud provisions your instance in a couple of minutes, with isolated storage and managed backups. No infrastructure to stand up on your side.

2

Install the agent on your production hosts

One-line install, supports every major distro (Debian, Ubuntu, Fedora, Rocky, Arch, Alpine) plus FreeBSD. Runs as a systemd unit or a container.

3

Review your patch and CVE landscape

Dashboards show pending patches, CVE coverage, patch age, and CIS or STIG compliance across the fleet. Identify the hosts that need attention first.

4

Schedule deployments in your change windows

Define maintenance windows per host group, require approvals for production, and roll forward in stages. Every action lands in the audit trail.

What a SaaS deployment includes

Cloud tiers scale features and support with clear per-host pricing, no hidden fleet-size gates. Pick Starter, Plus, or Max to match the depth you need; compare tiers on the pricing page.

  • Package inventory across Debian, Ubuntu, Fedora, Rocky, Arch, Alpine, and FreeBSD
  • OpenSCAP compliance scanning with CIS and STIG benchmarks
  • Docker container, image, volume, and network monitoring per host
  • Scheduled patch deployment with per-group change windows and approval gates
  • Full patch history and audit trail exportable for SOC 2 and ISO 27001 evidence
  • Role-based access control enforced per API endpoint and UI route
  • SSO via OIDC (Authentik, Keycloak, Azure AD, Okta, Google)
  • Alerting via Slack, email, PagerDuty, OpsGenie, ntfy, and generic webhooks
  • REST API and Swagger docs for CI/CD and CMDB integration
  • Lightweight Go agent with 100 MB memory ceiling and two reserved CPU threads

SaaS ops FAQ

What do auditors actually want to see for patch management?

SOC 2 and ISO 27001 auditors look for a documented patch policy, evidence that you meet your own SLAs (for example, critical CVEs patched within 72 hours), and a way to prove coverage across the whole fleet. PatchMon gives you timestamped patch history per host, scheduled reports, and CIS or STIG benchmark scans. Export what you need at audit time rather than reconstructing it from shell logs.

How do change windows work?

You define maintenance windows per host group. A deployment can be queued immediately and only executes inside the next matching window. Production rollouts can also require manual approval before they run, so a staged rollout might start in staging automatically and wait for a human before touching customer-facing hosts.

What happens if a patch breaks something in production?

Every deployment has a full audit trail, including which packages were upgraded on which host at which time. You can roll out in stages (canary a small group first, then widen), pause a rollout mid-flight, and use the per-host history to identify which package upgrade correlated with a regression. PatchMon does not manage filesystem snapshots itself; we recommend pairing with ZFS snapshots or your provider's block-storage snapshots for rollback capability.

Does it cover Docker and Kubernetes workloads?

Yes for Docker. The agent monitors containers, images, volumes, and networks on each host it runs on, so container-heavy stacks get coverage alongside the host fleet. There is no Kubernetes operator today; if you run the agent on the host OS of a Kubernetes node you get host-level visibility, but pod and deployment state sits outside PatchMon's current scope.

Does it work across multiple regions and providers?

Yes. A PatchMon Cloud instance can monitor hosts across any combination of AWS regions, Hetzner DCs, Digital Ocean, GCP, bare-metal providers, or on-premise. Agents report outbound over HTTPS and WebSocket, so as long as each host can reach the Cloud endpoint you are covered. Many SaaS operators run multi-region fleets against a single PatchMon workspace.

What is the agent's resource footprint on production hosts?

The agent is a single static Go binary with GOGC=50, a 100 MB memory limit via SetMemoryLimit, and GOMAXPROCS(2). Steady-state usage is well under the ceiling on typical production hosts. No JVM, no Python runtime, no plugin sidecars. Deployable as a systemd unit or a container with a host socket mount.

Can we integrate it with our existing CI/CD and alerting?

Yes. Every alert is a webhook, so PagerDuty, OpsGenie, Squadcast, Slack, Teams, and any endpoint that accepts HTTPS POST can be wired in. There is a documented REST API for read and write operations, so CI/CD pipelines can query patch state, trigger deployments, and pull reports programmatically.

How quickly can we have our first fleet reporting?

Cloud signup provisions your instance in a couple of minutes. A one-line agent install on each host starts reporting immediately, so you can have a representative sample of production hosts on the dashboard the same afternoon and a full rollout within a week.

Book a demo

15-minute call, no sales pitch. We'll show you the dashboard, agent deployment, and answer your questions.

Iframe blocked? Book directly at cal.com/9-technology-group/patchmon-demo.

Ready to bring your production fleet under one dashboard?

Start a free PatchMon Cloud trial, pilot on a small group of hosts, and expand from there at your own pace.

Start Free TrialBook a demo