Last updated: April 2026
A security tool should meet the standards it enforces.
PatchMon is a security tool - so it has to meet the same standards it helps you enforce. Here's how we approach security across the platform.
Security Principles
Outbound-Only Agent Architecture
PatchMon agents never listen on any port. All connections are initiated outbound from the agent to your server over WebSocket. This means no inbound firewall rules are needed on monitored hosts, significantly reducing the attack surface of your fleet.
Encryption in Transit
All communication between agents and the server uses TLS. The WebSocket connection is encrypted end-to-end. API requests are served over HTTPS. No patch data, host information, or credentials travel in the clear.
Least Privilege by Default
Database users, Redis ACLs, and API keys are configured with the minimum permissions required. The agent runs with the minimum system access needed to query package managers - it does not require root for monitoring.
Role-Based Access Control
Every action in PatchMon is permission-gated. Assign roles that match your organisation's structure - read-only for auditors, operational access for engineers, admin for platform owners. SSO/OIDC integration for centralised identity management.
Audit Logging
User actions, authentication events, and configuration changes are logged with timestamps and actor identification. Every patch run records who triggered it, who approved it, what policy was active, and the full shell output - giving you a complete audit trail for compliance requirements.
Open Source Transparency
PatchMon is open source under AGPLv3. Every network call, every data handling path, and every authentication mechanism is available for inspection. No black boxes, no hidden telemetry, no trust-us-it's-fine.
Agent Security Model
The PatchMon agent is designed to minimise its footprint on your infrastructure. Here is how it works.
Outbound-only WebSocket
Agents connect outbound to your PatchMon server over WebSocket. They never listen on any port and never accept inbound connections. This means zero inbound firewall rules are needed on monitored hosts. SSH and RDP sessions are routed through the agent's existing outbound connection - no additional ports required.
Token-Based Authentication
Each agent authenticates with a unique API ID and API key. Keys are stored with strong one-way hashing so a database compromise does not expose usable agent credentials.
Lightweight and Constrained
The agent is a single static binary with no extra runtime on the host. It is tuned for modest CPU and memory use on edge and server hardware. It queries package managers and system information and does not require root access for monitoring operations.
Secure Fleet Onboarding
Auto-enrollment tokens let you onboard hosts at scale without manual credential management. Tokens can be scoped with IP range restrictions, daily rate limits, expiration dates, and default host group assignment - so a compromised token has limited blast radius.
Compliance Support
PatchMon helps you meet the requirements of frameworks like SOC 2, ISO 27001, and PCI-DSS through built-in capabilities.
Patch Audit Trail
Every patch run is a permanent, timestamped record with who triggered it, who approved it, what packages changed, and the full shell output. Pull a 90-day patch history in seconds.
CIS Benchmark Scanning
Run OpenSCAP compliance scans against CIS benchmarks. Per-rule pass/fail results with severity, remediation guidance, and score tracking over time.
Scheduled Reports
Automated reports with executive summaries, compliance scores, patch status, and open alerts - delivered on a schedule to Slack, email, or webhooks.
Trust & Compliance
PatchMon Cloud is operated by PatchMon LTD on certified infrastructure. We publish the controls and evidence enterprise customers need to complete security and privacy due diligence.
Certified Infrastructure
Production on IONOS Cloud, an EU-headquartered provider certified to ISO/IEC 27001 and BSI C5 Type 1. Regions in London, Frankfurt, Paris, and Newark. Worcester UK is Uptime Institute Tier IV certified. European data centres run on 100% renewable energy. Disaster recovery and encrypted offsite backup custody with an ISO 27001:2022 and ISO 9001:2015 certified UK partner (detail in our sub-processor list).
UK GDPR & DPA 2018
Registered with the UK Information Commissioner's Office. Dedicated Incident Response Plan, Breach Notification Procedure with a 72-hour ICO notification commitment, and transparent sub-processor list in our DPA.
No Card Data Stored
Payments are handled end-to-end by Stripe under their PCI DSS certification. PatchMon LTD never stores, transmits, or processes raw payment card data.
Encryption
TLS for all data in transit. AES-GCM for sensitive fields at rest, including AI credentials and integration secrets. Customer-scoped keys and per-tenant isolation.
Backups & DR
Daily database and host-image backups, encrypted and held offsite by our ISO 27001 backup custodian. Cross-region failover by DNS for region-level outages. Quarterly restore drills.
Evidence Pack (under NDA)
Incident Response Plan, Breach Notification Procedure, DPA, sub-processor schedule, Shared Responsibility Matrix, and pen-test summaries are available to enterprise prospects under NDA.
Responsible Disclosure
If you discover a security vulnerability in PatchMon, we want to hear about it. Our full Vulnerability Disclosure Policy (VDP) explains scope, safe harbour, and the coordinated disclosure timeline we commit to.
Report a live incident
Customers and sub-processors. Acknowledged within 4 hours, 24/7.
incidents@patchmon.netWhat we commit to
- Acknowledgement within 2 business days (auto-reply within minutes).
- Triage and severity assessment within 5 business days; status updates at least every 14 days.
- Coordinated disclosure with a standard 90-day window, or sooner if remediated.
- Safe harbour for good-faith research that follows the policy.
- Public acknowledgement on our hall of fame (with your consent).
Questions about our security practices?
We're happy to discuss our approach in detail.