Last updated: April 2026
Everything you need to manage
patches across your fleet.
PatchMon covers patch visibility, compliance scanning, remote access, Docker monitoring, alerting, and access control -- in a single self-hosted dashboard. Here is how those pieces fit together.
What sets PatchMon apart
The capabilities that matter most -- and that you won't find together in any other tool.
1
Six Package Managers, One Dashboard
APT, DNF/YUM, APK, Pacman, FreeBSD pkg, Windows Update -- all first-class.
2
FreeBSD Support
Yes, even your FreeBSD firewalls. No other patch management tool covers them.
3
Outbound-Only Agents
Zero inbound firewall rules on managed hosts. Your security team will thank you.
4
Single Binary Deployment
One Go binary. No Java, no Tomcat, no dependency hell. Running in five minutes.
5
Browser SSH & RDP
Click a host, open a terminal. No VPN, no exposed ports, no local client needed.
6
OpenSCAP CIS Compliance
Built-in compliance scanning with audit trails your auditor actually wants.
7
Multi-Tenancy for MSPs
Per-tenant database isolation. Not row-level filtering -- actual separate databases.
8
Truly Open Source
AGPLv3 with no feature gates. Community gets everything, not an open-core teaser.
Every capability at a glance.
Grouped by category, linked where you can read more.
Package inventoryEvery installed package across all hosts with version, category, and security flags
Pending update detectionAgents report available updates per package manager automatically
Six package managersAPT, DNF/YUM, APK, Pacman, FreeBSD pkg, Windows Update
Patch policiesImmediate, delayed, or fixed-time scheduling with timezone support
Policy assignmentAssign to individual hosts or host groups with per-host exclusions
Dry-run validationSimulate a patch run and see exactly what would change before committing
Approval workflowsValidation runs require explicit approval before executing on production
Full audit trailEvery run records who triggered it, who approved it, command output, and policy snapshot
Multi-architectureamd64, arm64, i386, and arm builds for every platform
Host grouping and batch operationsColor-coded groups for logical organization and bulk targeting
Reboot status trackingHosts needing reboots are flagged with reason, surfaced in the dashboard
Package version historyPer-package activity tracking shows version changes over time
Security update flaggingSecurity-relevant updates marked separately so you know what is critical
Repository managementTrack, enable/disable, and prioritize package repositories per host
OpenSCAP CIS benchmarksSCAP Security Guide datastreams for CIS benchmark scanning across hosts
Docker Bench for SecurityDocker security benchmarking integrated as a first-class compliance scan type
Compliance score trackingPer-host score history with total rules, passed, failed, warnings, and skipped
Rule-level resultsPass/fail/warning status per rule with severity, section, and description
Remediation guidanceActionable remediation steps for each failed rule from the SSG content
Compliance modesPer-host: disabled, scheduled, or on-demand only scanning
SSG content managementServer manages SCAP Security Guide datastreams with automated update checks
Scan rate limitingBuilt-in limits help large fleets stay stable under load
Browser-based SSH terminalFull terminal in the browser -- no local SSH client required
Browser-based RDPWindows remote desktop in the browser with sensible security defaults
Agent-proxied connectionsSSH and RDP can route through the agent so hosts avoid extra inbound exposure
AI terminal assistantOptional LLM assistance with your own API keys; rate-limited per user
Dynamic terminal resizeTerminal size tracks your browser window while you work
Password and key-based SSH authSupports password, private key, and key with passphrase authentication
Configurable RDP resolutionSet resolution for RDP sessions with a short-lived access handshake
Container inventoryTrack every container with name, image, status, state, ports, and labels
Image inventory with update detectionRepository, tag, digest, size -- with available update and severity tracking
Volume and network trackingFull inventory of Docker volumes (driver, size, refs) and networks (driver, scope, IPAM)
Docker Bench security scanningDocker security benchmarking alongside your other compliance scans
Per-host Docker detailContainers, images, volumes, and networks for each host in the host detail view
Aggregated Docker dashboardCross-host Docker statistics in a single overview
Automatic stale data cleanupDocker inventory stays accurate when hosts leave the fleet
Host down / host recovered alertsRegular health checks surface hosts going offline or coming back
Patch run success/failure notificationsGet notified immediately when a patch run completes or fails
Compliance scan alertsNotifications when compliance scans complete with results summary
5 notification channelsSlack, Discord, SMTP email, ntfy push notifications, and generic webhooks
Signed webhooksOptional signatures so receivers can verify payloads are genuine
Event routing rulesRoute by event type, minimum severity, host group, and individual host
Alert assignment and resolutionAssign alerts to team members, track actions, resolve with full history
Scheduled reportsTime-scheduled reports with configurable sections delivered to any destination
Delivery log with retry trackingFull audit trail of every notification: status, errors, attempt count
Test notificationsSend a test message to any configured destination before going live
Configurable alert rulesPer-alert-type enable/disable, severity overrides, and auto-assign rules
Dashboard & Reporting
Customizable dashboardDrag-and-drop card layout with per-user preferences and configurable columns
Host overviewOS, kernel version, architecture, CPU, RAM, disk, uptime, and network interfaces
Package statistics and trendsTime-series charts for package counts with configurable day ranges
Filterable host listSearch, filter by group, status, OS, OS version -- with per-host update counts
Scheduled reportsExecutive summaries, compliance data, patch status, open alerts, and outstanding updates
System statisticsAggregated host metrics on a steady interval for historical trends
Per-user dashboard layoutEach user configures their own card visibility, order, and column span
Role-based access controlGranular permissions with built-in and custom roles for least-privilege access
OIDC / SSO integrationOpenID Connect with automatic user provisioning and optional local-auth lockout
TOTP two-factor authenticationQR code setup, backup codes, lockout protection, configurable remember-me
Discord OAuth2Discord login with account linking for teams that already live there
API key managementScoped credentials for agents and automation, separate from interactive logins
Session managementActive session visibility, revocation, and inactivity timeouts
Audit loggingEvery security-relevant action recorded with user, IP, timestamp, and details
Login securityBrute-force lockout, configurable password policies, rate limiting, HSTS
Encrypted secretsServer-side encryption for AI keys, OAuth secrets, and notification configs
Agent & Deployment
Single static agent binaryNo extra runtime on the host -- drop in the binary and run
Outbound-only connectionsAgents connect out to PatchMon -- no listening ports or inbound firewall rules required
Auto-enrollment tokensToken-based registration with optional network guardrails and expiry
Default group assignmentTokens can place new hosts into the right group automatically
Linux, FreeBSD, and WindowsBuilds for common CPU architectures across Linux, FreeBSD, and Windows
Constrained-host friendlyTuned for modest CPU and memory footprints on edge and appliance hardware
Proxmox LXC auto-enrollmentScript generation for automated agent deployment inside Proxmox containers
One-line agent installQuick install script for rolling agents out at scale
Agent version trackingServer tracks agent versions and update availability
Configurable collection intervalAdjust how often agents report -- changes pushed to agents automatically
Infrastructure & API
REST APIVersioned HTTP API with interactive docs -- the UI is API-backed
Multi-tenancy for MSPsStrong tenant isolation for managed service providers
PostgreSQL data storeRelational storage for hosts, history, compliance, and audit evidence
Background jobsQueue-backed workers for scans, cleanup, notifications, and housekeeping
Docker Compose deploymentPublished stack: PostgreSQL 17, Redis 7, ghcr.io/patchmon/patchmon-server, guacd for browser RDP
Single server binaryOne process ships the API, web UI, and migrations -- minimal moving parts
GetHomepage integrationStats endpoint compatible with common homelab dashboards
Custom brandingUpload your own logos (light/dark) and favicon for white-label deployments
Background automationScheduled maintenance: version checks, session hygiene, fleet cleanup, and more
Encrypted config storageSensitive integration settings encrypted at rest
What does your fleet actually look like?
Your fleet is not homogeneous. PatchMon handles the diversity -- distributions, package managers, and architectures -- in a single view.
Operating Systems
UbuntuDebianRHELCentOSRocky LinuxAlmaLinuxFedoraArch LinuxAlpineFreeBSDpfSenseWindows Server
Package Managers
Integrations
Architectures
amd64arm64i386arm
How it all fits together.
A single PatchMon server fronts the web app and API. Agents connect outbound so monitored hosts avoid extra inbound exposure.
+----------------+
| Your browser |
+-------+--------+
|
HTTPS
|
+-------v--------+
| PatchMon server |
| (web + API) |
+---+---+--------+
| |
+------+ +------+
| Database | Cache |
+----------+-------+
Agents (Linux / FreeBSD / Windows) connect outbound to PatchMon:
+--------+ +--------+ +--------+
| Agent | | Agent | | Agent |
+---+----+ +---+----+ +---+----+
| | |
+------------+------------+
|
PatchMon serverSee everything in one place.
Hosts, packages, patches, compliance, containers, alerts -- all in a single, customizable interface with drag-and-drop card layouts and per-user preferences.
Ready to see it in action?
Deploy the Community edition in minutes, or explore Cloud and PRO. Tier details and current Cloud pricing (including Plus intro through April 2026) are on the pricing page.