Turn patch posture into audit-ready evidence.
PatchMon runs OpenSCAP CIS benchmarks and Docker Bench checks from the same agent that monitors package currency, so patch state and configuration compliance land in one system with exportable evidence.
Why security teams choose PatchMon
Security engineers, compliance officers, and CISO-adjacent teams need to measure and report patch posture and configuration compliance across the whole estate. PatchMon treats that as the product, not a bolt-on.
Patch state and compliance in one system
Package currency, pending security updates, OpenSCAP CIS benchmark results, and Docker Bench findings surface in the same dashboard, so you stop stitching evidence together across three vendors.
OpenSCAP CIS benchmarks from the agent
The PatchMon agent runs OpenSCAP SCAP datastream evaluations directly on the host and reports pass/fail per control. No separate scanning appliance, no credentialed remote scans to schedule.
Docker Bench security checks built in
Docker Bench runs alongside host patch monitoring, so container hardening gaps and outdated host packages show up in the same workflow instead of a siloed container security tool.
Audit-ready evidence export
Per-host, per-control compliance results are exportable as structured reports. Hand the output directly to auditors or pipe it into your GRC system without rekeying.
OIDC SSO and granular RBAC
Auditors and compliance reviewers get read-only access tied to your identity provider. No shared credentials, no manual account sprawl, no orphaned logins after an audit closes.
Isolated tenant storage on Cloud
PatchMon Cloud runs your evidence trail on isolated per-customer storage with automated backups, so compliance data never shares a database with another customer.
The evidence problem in every audit
Proving to auditors that systems are patched and CIS-compliant requires pulling data from multiple tools, none of which speak the same language. Every audit cycle becomes a manual reconciliation exercise that nobody on the team wants to own.
Audits are a reconciliation exercise
Proving that systems are patched and CIS-compliant requires pulling data from vulnerability scanners, patch tools, and configuration scanners that do not share a schema. Every audit cycle becomes a manual merge.
Compliance scanning is bolted on
Most patch tools treat compliance as a checklist for the marketing page, not a first-class measurement. Real CIS evaluation requires OpenSCAP content and a scanning engine, not a CSV of kernel versions.
Auditor access is a liability
Giving external auditors shared credentials or a database read-only copy is the path of least resistance and also the path to your next incident. There is rarely a clean scoped-access story.
How PatchMon produces evidence
PatchMon is designed around the idea that compliance is a measurement, and every measurement has to be traceable, timestamped, and exportable.
OpenSCAP CIS results as structured data
Every CIS evaluation produces a rule-by-rule result set tied to the host, the benchmark version, and the scan time. Results are retained on the PatchMon server and exportable for audit packs, not just displayed transiently in a dashboard.
Patch state history, not just current state
Patch state is stored with scan timestamps, so auditors can see not only what a host looks like today but what it looked like on the date a control was assessed. No more arguing with auditors about what was true six months ago.
Change accountability via session recording
SSH and RDP sessions to managed hosts are recorded through the PatchMon browser proxy. Compliance reviewers can trace who connected, when, and what they did during a change window.
Pinned benchmark and agent versions
You choose the ComplianceAsCode SCAP version assessed against, and PatchMon records the agent version used on every scan, so evidence can be reproduced for the exact versions that were in effect at audit time.
Why not just use an RMM?
RMM tools focus on uptime, task automation, and remote hands. Compliance scanning, when it exists, is a bolted-on checklist rather than a first-class measurement that feeds into audit evidence. You get green ticks on a dashboard, not a rule-by-rule OpenSCAP result set that an auditor will accept.
Security teams need the underlying evaluation, the rule text, the remediation guidance, and the historical pass/fail trail per host, not a summarised status indicator. PatchMon stores the full OpenSCAP XCCDF result for each scan, tied to the benchmark version and the agent version, so a finding can be traced back to the exact content that produced it.
The other practical difference is the shape of the evidence. RMMs give you summarised dashboards and CSV exports. PatchMon stores the complete rule-by-rule result set per scan, per host, with benchmark and agent versions attached, so your evidence survives auditor scrutiny instead of prompting more questions.
What is covered out of the box
OpenSCAP, CIS profiles, and Docker Bench ship with PatchMon; compliance scanning is not a separate compliance-only portal you buy later. Cloud tiers scale managed hosting and support; Community is AGPLv3 on infrastructure you operate yourself.
- OpenSCAP evaluation against SCAP content for RHEL, Ubuntu, Debian, and more
- Docker Bench for Security on every Docker host running the agent
- Per-control pass/fail results with remediation text from the SCAP content
- Pending security updates tracked per host from distro repository metadata
- Package currency across APT, DNF, YUM, APK, Pacman, FreeBSD pkg, and Windows
- OIDC SSO for auditor and reviewer accounts, tied to your IdP
- Role-based access control with read-only, report-only, and admin roles
- Scoped visibility per fleet, environment, or workspace
- Alerting on compliance regression and patch SLA breach
- Scheduled compliance and patch reports delivered by email or webhook
- Full REST API for evidence export and GRC integration
- Session-recorded remote access for change-window accountability
How security teams roll it out
Four steps from signup to an audit-ready evidence trail.
Start your Cloud trial
Sign up for a free PatchMon Cloud trial. Your instance is provisioned with isolated storage and managed backups included.
Install the agent on your first hosts
One-line install on in-scope hosts. The same agent reports package currency, runs OpenSCAP SCAP evaluations, and executes Docker Bench checks on Docker hosts.
Review patch and compliance posture
Dashboards show pending security updates, OpenSCAP rule-by-rule pass/fail, and Docker Bench findings per host. Wire in OIDC SSO for auditors and reviewers.
Schedule scans and export evidence
Set scan cadence per host group, route regression alerts to email or webhook, and export structured compliance reports for audit packs or GRC ingestion.
Security and compliance FAQ
Which CIS benchmarks are supported?
PatchMon evaluates OpenSCAP SCAP datastreams shipped by the ComplianceAsCode project. That covers CIS and STIG profiles for RHEL 7/8/9, CentOS, Rocky, AlmaLinux, Ubuntu LTS, Debian, SLES, and Oracle Linux, plus additional hardening profiles. The content is bundled with the server image, and you can pin the ComplianceAsCode version you want assessed against.
Does it produce evidence packs we can hand to auditors?
Yes. OpenSCAP results are stored per host, per benchmark, with rule-by-rule pass/fail, remediation guidance, and scan timestamps. You can export compliance reports via the API or the UI, and the structured output is suitable for dropping straight into audit evidence folders or ingesting into a GRC system.
How does OIDC SSO work for auditors?
PatchMon supports OIDC against Authentik, Keycloak, Okta, Azure AD, Google Workspace, and any other compliant identity provider. You can provision auditor accounts as read-only users in your IdP, map them to a read-only PatchMon role via claim mapping, and deprovision access centrally when the engagement ends. No shared logins and no orphaned accounts.
Can we scope access by fleet, environment, or business unit?
Yes. PatchMon supports separate workspaces where each has its own scoped users, hosts, and compliance data. Auditors can be granted access to a single workspace (for example, PCI scope) without ever seeing data from another. RBAC roles within a workspace further restrict what each user can see and do.
Does compliance scanning cover Docker images, not just hosts?
PatchMon runs Docker Bench for Security on every host that has Docker installed, which assesses the daemon configuration, image build posture, container runtime flags, and host hardening. Image-level vulnerability scanning (scanning a registry image tag for CVEs) is handled by dedicated tools; PatchMon focuses on the running state of the host and its containers.
How are compliance regressions detected?
Every scheduled OpenSCAP and Docker Bench scan is compared against the previous run for each host. Any rule that flips from pass to fail triggers a regression alert routed through the configured notification channels (email, Slack, Discord, ntfy, and generic webhook). The same alerting applies when a host falls behind on pending security updates beyond your configured threshold.
Book a demo
15-minute call, no sales pitch. We'll show you the dashboard, agent deployment, and answer your questions.
Iframe blocked? Book directly at cal.com/9-technology-group/patchmon-demo.
Ready to make your next audit boring?
Start a free PatchMon Cloud trial and turn patch state and CIS compliance into one exportable evidence trail. Transparent per-host pricing from $1/host/month.