Skip to main content
PathMon

Last updated: April 2026

A security tool should meet the standards it enforces.

PatchMon is a security tool - so it has to meet the same standards it helps you enforce. Here's how we approach security across the platform.

Security Principles

Outbound-Only Agent Architecture

PatchMon agents never listen on any port. All connections are initiated outbound from the agent to your server over WebSocket. This means no inbound firewall rules are needed on monitored hosts, significantly reducing the attack surface of your fleet.

Encryption in Transit

All communication between agents and the server uses TLS. The WebSocket connection is encrypted end-to-end. API requests are served over HTTPS. No patch data, host information, or credentials travel in the clear.

Least Privilege by Default

Database users, Redis ACLs, and API keys are configured with the minimum permissions required. The agent runs with the minimum system access needed to query package managers - it does not require root for monitoring.

Role-Based Access Control

Every action in PatchMon is permission-gated. Assign roles that match your organisation's structure - read-only for auditors, operational access for engineers, admin for platform owners. SSO/OIDC integration for centralised identity management.

Audit Logging

User actions, authentication events, and configuration changes are logged with timestamps and actor identification. Every patch run records who triggered it, who approved it, what policy was active, and the full shell output - giving you a complete audit trail for compliance requirements.

Open Source Transparency

PatchMon is open source under AGPLv3. Every network call, every data handling path, and every authentication mechanism is available for inspection. No black boxes, no hidden telemetry, no trust-us-it's-fine.

Agent Security Model

The PatchMon agent is designed to minimise its footprint on your infrastructure. Here is how it works.

Outbound-only WebSocket

Agents connect outbound to your PatchMon server over WebSocket. They never listen on any port and never accept inbound connections. This means zero inbound firewall rules are needed on monitored hosts. SSH and RDP sessions are routed through the agent's existing outbound connection - no additional ports required.

Token-Based Authentication

Each agent authenticates with a unique API ID and API key. Keys are stored with strong one-way hashing so a database compromise does not expose usable agent credentials.

Lightweight and Constrained

The agent is a single static binary with no extra runtime on the host. It is tuned for modest CPU and memory use on edge and server hardware. It queries package managers and system information and does not require root access for monitoring operations.

Secure Fleet Onboarding

Auto-enrollment tokens let you onboard hosts at scale without manual credential management. Tokens can be scoped with IP range restrictions, daily rate limits, expiration dates, and default host group assignment - so a compromised token has limited blast radius.

Compliance Support

PatchMon helps you meet the requirements of frameworks like SOC 2, ISO 27001, and PCI-DSS through built-in capabilities.

Patch Audit Trail

Every patch run is a permanent, timestamped record with who triggered it, who approved it, what packages changed, and the full shell output. Pull a 90-day patch history in seconds.

CIS Benchmark Scanning

Run OpenSCAP compliance scans against CIS benchmarks. Per-rule pass/fail results with severity, remediation guidance, and score tracking over time.

Scheduled Reports

Automated reports with executive summaries, compliance scores, patch status, and open alerts - delivered on a schedule to Slack, email, or webhooks.

Responsible Disclosure

If you discover a security vulnerability in PatchMon, we want to hear about it. Please report it responsibly so we can address it before public disclosure.

How to report

  • Email support@patchmon.net with details of the vulnerability
  • Include steps to reproduce, affected versions, and potential impact
  • We aim to acknowledge reports within 48 hours and provide a fix timeline within 5 business days
  • Please do not disclose publicly until we've had time to address the issue

Questions about our security practices?

We're happy to discuss our approach in detail.

Get in Touch