Platform

Vulnerability management that
actually closes the loop

Most scanners stop at detection. PatchGuard starts there — and finishes with a deployed fix, an audit trail, and a verified health check.

Architecture

Agentless for cloud. Lightweight agent for on-prem.

PatchGuard uses cloud provider APIs (AWS Systems Manager, Azure Update Manager, GCP OS Config) for cloud hosts — no agent install required. For on-premises servers and isolated network segments, a 12 MB Go-based agent handles scanning and patch execution with outbound-only connections.

  • Cloud: zero-agent, API-native integration
  • On-prem: 12 MB agent, outbound-only (port 443)
  • Kubernetes: reads pod specs from kube-apiserver
  • Average setup time under 20 minutes
PatchGuard architecture
How It Works

Five-stage pipeline from scan to verified fix

01

Asset Discovery

PatchGuard pulls inventory from cloud APIs and agent reports every 6 hours. Each asset record includes OS version, installed packages, kernel, running containers, and network exposure tags.

02

CVE Correlation

Installed packages are matched against NVD, OSV, vendor advisories (RHSA, USN, MSRC), and CISA KEV. The database refreshes every 4 hours via signed feeds — never more than 4 hours stale.

03

Risk Scoring

Each CVE-asset pair receives a PatchScore™: CVSS base × exploit availability multiplier × asset criticality weight × network exposure factor. Scores range 0–100. Critical >75 auto-escalates to your on-call channel.

04

Patch Orchestration

Approved patches run through a configurable canary deployment: 5% of assets first, then 25%, then 100%. Each wave waits for health checks to pass before proceeding. Rollback triggers automatically if error rate exceeds threshold.

05

Verification & Audit

Post-patch scans confirm the CVE is remediated. Results feed back into the risk dashboard. Every action — scan, score, deploy, rollback — is written to an immutable audit log with timestamps and approver identity.

06

Compliance Export

Generate evidence packages for auditors: patch coverage by asset group, time-to-remediate by severity, and CVE lifecycle reports. Export formats: PDF, JSON, and CSV. Retention: 24 months.

Platform Capabilities

Every module. Explained.

Unified Asset Inventory

One view of every host, container, and serverless function across AWS, Azure, GCP, and on-prem. Assets are automatically tagged by environment (prod/staging/dev), business unit, and criticality tier based on your tagging convention.

Supports AWS EC2, EKS, Lambda; Azure VMs, AKS, Functions; GCP Compute, GKE; VMware vCenter 6.7+; bare-metal via SSH.

PatchScore™ Engine

Our scoring model goes beyond CVSS. It weights each finding by whether a public exploit exists (PoC or weaponized), whether the asset is internet-facing, and whether your industry is an active target in current threat intel feeds.

Pulls exploit availability from ExploitDB, Metasploit modules index, and CISA KEV. Refreshes every 4 hours.

Patch Policy Engine

Define policies per asset group: which severity tiers auto-deploy, which require approval, what the maintenance window is, and what the canary rollout percentage is. Policies are version-controlled and auditable.

Policies defined in YAML, stored in your Git repo. Changes trigger a policy validation run before activation.

Rollback Engine

Before every patch deployment, PatchGuard takes a package snapshot and records the current process health baseline. If CPU, memory, error rate, or uptime crosses a configurable threshold post-patch, automatic rollback initiates within 90 seconds.

Rollback success rate: 99.7% across 12,000 deployments in production environments to date.

ITSM Integration

Every high-severity finding creates a ticket in Jira or ServiceNow with pre-populated fields: CVE ID, CVSS score, PatchScore, affected assets, and a one-click approve button that triggers the patch pipeline directly from the ticket.

Jira Cloud, Jira Server 8+, ServiceNow Paris release and later. Webhook delivery <5 seconds.

Access Control

Role-based access with four built-in roles: Viewer, Analyst, Approver, and Admin. SSO via SAML 2.0 (Okta, Azure AD, Google Workspace). All actions are logged with the authenticated identity and session token hash.

MFA required for Approver and Admin roles. Audit log exports available on demand.

Technical Specs

Built for production workloads

Scan frequency Every 6 hours (configurable: 1h–24h)
CVE feed refresh Every 4 hours from NVD, OSV, RHSA, USN, MSRC
Max assets 50,000 per account (Enterprise: unlimited)
API latency (p95) <120ms
Platform uptime SLA 99.9% (Enterprise: 99.95%)
Data encryption AES-256 at rest, TLS 1.3 in transit
Certifications SOC 2 Type II, ISO 27001
Agent footprint 12 MB binary, <1% CPU at idle
Supported OS Ubuntu 18+, RHEL 7+, CentOS 7+, Debian 9+, Windows Server 2016+
Audit log retention 24 months (exportable at any time)

Ready to see PatchGuard in your environment?

We'll map your current patch backlog live — no sales deck required.

Request a Demo See Pricing