Patch management is a critical cybersecurity practice that doesn’t get nearly the attention it deserves. It’s also much harder than it appears, witness the data breaches that happen daily because of old vulnerabilities that a company failed to patch.
The good news is that patch management and vulnerability management tools can help, and they’re getting more sophisticated all the time. Patch management still isn’t easy — many organizations don’t even know everything that’s attached to their networks, let alone whether it’s patched — but patch management tools can help organizations find what needs to be patched and automate those security fixes.
We’ll cover the top patch management products, followed by buying considerations for those in the market for a patch management solution.
Top Patch Management Software & Tools
- Syxsense Manage: Best for Comprehensive Small Business Security
- Tanium Patch: Best for Distributed Enterprise Networks
- Automox: Best for Automation
- BMC Helix Automation Console: Best for Compliance Automation
- Ivanti Patch: Best All-in-One Solution
- Red Hat Satellite: Best for Linux Environments
- Kaseya VSA: Best for Remote Monitoring & MSPs
- BigFix: Best for Endpoint Management
- Micro Focus ZENworks: Best for Endpoint Patching
- Quest KACE Systems: Best for IT Asset Tracking
- SecPod SanerNow: Best for Remote Patching
- NinjaOne: Best for Unified IT Management
- Key Features of Patch Management Software
- Choosing a Patch Management Solution
Best for Small Businesses in Need of Comprehensive Security
Syxsense Manage is a cloud-based platform that offers patch management and endpoint visibility inside the network and out, and covers all major operating systems and third-party applications too. It includes a wealth of automation features and offers endpoint intelligence with OS, hardware, and software inventory details. The system scans and sets security and patching priorities based on risk. It’s available as SaaS or a managed service.
- Patch management: Deploy operating system, third-party patches, and Windows 10 Feature Updates for Microsoft, Mac, and Linux devices automatically
- Visibility: Provides endpoint visibility across major OS and IoT devices
- Advanced threat detection: Scan for software vulnerabilities, security compliance violations, and potential security threats with the ability to respond in real-time using advanced threat detection
- Syxscore: The security assessment tool Syxscore provides NIST and vendor severity assessments of the endpoints in your environment
- Patch supersedence: Automatically exclude superseded patches and include newer ones, saving time and network bandwidth
- Remote control: Admins can access employees’ devices remotely and resolve issues
- Cross-platform support (Windows, Mac, Linux, iOS, and Android)
- Allows targeted deployment
- Patch rollback in case a patch is buggy
- Three-hour turnaround for the testing and delivery of new patches
- Some users report a steep learning curve
- Lack of documentation for some advanced features
Pricing information is unavailable on the vendor’s website, but Syxsense Manage previously started at $600 a year for 10 devices. Syxsense provides a custom demo and a 14-day free trial period with access to all product features.
Best for Distributed Enterprise Networks
Tanium Patch enables organizations to deploy the latest critical updates and security patches across their entire IT environment. IT and security teams can determine which systems need patching, identify potential conflicts, and deploy patches at scale without disrupting user productivity. With Tanium Patch, IT operations teams can keep systems up to date with automated patching across the enterprise at speed and scale, as well as monitor patch status across devices. Tanium is well-liked by users but aimed primarily at the large enterprise market. It is pricier than many other solutions and is often included as part of a larger Tanium endpoint suite.
- Real-time patch visibility and control: Tanium allows users to manage hundreds of endpoints and deploy patches at scale
- One client: This tool allows users to patch multiple endpoints without the need for additional infrastructures such as a secondary relay, database or distribution servers
- Customized patch scheduling and workflows: Deploy a single patch to a computer group and use advanced rule sets and maintenance windows to deploy patches to other groups at scheduled times
- Patching effectiveness tracking: Tanium Patch provides quick feedback on deployment success or failure, patch histories for individual machines, endpoint reboot status and access to vendor knowledge base articles (KBAs)
- Create dynamic lists, rules, and exceptions with custom workflows, and schedule patches based on advanced rules
- Serves users in a range of verticals, including government (federal, state and local), education, financial services, retail and healthcare
- Enables collaboration between IT security and management personnel to allow them to optimize network security and performance
- Consolidates all historical data on device endpoints, security drivers, firmware, and software version gaps
- Indicates the percentage of outstanding critical patches, which ones should be deployed first to minimize risk, and which endpoints need protection until a patch is available
- The user interface could be improved
- Users report high CPU utilization
While Tanium doesn’t publish pricing, we’ve seen subscription pricing around $7 a month per endpoint. Interested buyers should contact the vendor for custom quotes. They offer a two-week free trial.
Best for Automation
Automox is a cloud-based patch and configuration management platform that enables users to quickly and easily automate and manage device security and compliance across their IT environment. Automox is a SaaS product backed by investment from leading endpoint security vendor CrowdStrike. Primarily a patch management tool, Automox is gradually expanding its offering as it transforms into an endpoint hardening platform that supports Windows, macOS, and Linux from a single console. It enables continuous connectivity for local, cloud-hosted, and remote endpoints without needing on-premises infrastructure or tunneling back to the corporate network.
- Integration: Automox integrates with third-party technology such as Rapid7, ServiceNow, SentinelOne, Freshworks, CrowdStrike, and Splunk
- Automated policy enforcement: Set policies to manage or blocklist software, enforce password settings, and lock USB access
- Extensive OS patching tools: Patch, configure and track inventory to quickly remediate vulnerabilities before adversaries can exploit them, plus report the vulnerability status of all devices
- Unified console: Automox allows you to automate cross-OS patch management, enforce patches, security configurations, software deployment, and custom scripting across your Windows, Mac and Linux systems from one console
- Supports Windows, macOS, and Linux
- Automated continuous patching of OS and third-party applications
- Good integration with CrowdStrike products
- User-friendly interface
- Remotely execute PowerShell based on schedule or group
- Enables seamless collaboration between SecOps and ITOps
- Knowledgebase could be improved
- Reporting functionality could be better
Automox offers three pricing plans, and rates are determined by the number of devices in your environment. All plans are eligible for a 15-day free trial.
Basic: $3 per month per device, billed annually
Standard: $5 per month per device, billed annually (eligible for 10% discounts for over 550 devices)
Complete: $7 per month per device, billed annually (eligible for 10% discounts for over 550 devices)
BMC Helix Automation Console
Best for Compliance Automation
BMC Helix Automation Console (previously BMC Helix Vulnerability Management) simplifies patching, remediates security vulnerabilities, and ensures compliance using automation and analytics. It is a hybrid solution deployed in the cloud and uses an automation engine located on-premises for remediation. BMC Helix Automation Console also works with change management to form a closed-loop change management solution. It can manage compliance with regulations and policies and automate remediation of out-of-compliance conditions. The console is built using microservices and containers.
BMC Helix Automation Console integrates with a variety of vulnerability scanners to collect data for IT resources, both on-premises and in the cloud. After consolidating the vulnerability scanner data collected, it uses analytics to transform that data into actionable information, maps vulnerabilities to assets and patches, helps determine risks and priorities and automates patch acquisition and deployment to remediate security exposures. It also works with BMC Discovery for blind spot detection and change automation with BMC ITSM.
- Automated remediation: Maps vulnerabilities to servers and patches, identifies severity level and business services affected, schedules remediation, and takes automatic corrective action
- Visibility: Offers real-time insight into security flaws, unmapped assets, missing patches, and misconfigured resources
- Compliance: Ensures that regulations and internal policies are consistently followed to ensure audit preparedness
- Policy-based patching: Reduce patching complexity by utilizing policy-based patching to decrease the required number of patch deployment jobs
- Intuitive user interface
- Risk scoring for vulnerability prioritization
- Integrates with vulnerability scanners to collect data for on-premises and cloud IT resources; works with discovery solutions to identify blind spots to scan
- Provide insight into vulnerabilities, severities, SLAs, trends, and remediation progress through patch dashboards
- Reporting feature could be improved
- Advanced features documentation could be better
BMC doesn’t publish pricing for Helix Automation Console. Quotes are available upon request.
Best All-in-One Solution
Ivanti Patch offers a solid patching solution, although its product portfolio has gotten a little complex following the acquisition of Shavlik, MobileIron, and Lumension. There are a few options for patching solutions:
- Ivanti Patch for Endpoint Manager (formerly LDMS) can detect vulnerabilities in Windows, Mac OS, Linux, and hundreds of third-party apps, as well as deploy pre-tested patches
- Ivanti Security Controls provides PowerShell and REST APIs to allow for extensive automation of critical workloads
- Ivanti Patch for MEM provides an extensive catalog of updates and has a rapid time to implementation as well as quick discovery from inventory or vulnerability assessments
- Ivanti Neurons for Patch Intelligence: This is a supplemental analytics solution that extends all three of Ivanti’s patch management solutions and helps you achieve faster SLAs for vulnerability remediation efforts via supervised and unsupervised machine learning algorithms
- Patch management: Patch OS, third-party apps, physical and virtual servers, and systems that aren’t always connected
- Patch virtual systems: Patch online and offline VMs, hypervisors, templates, and third-party applications
- Dynamic allowlisting: Develop policies that are both adaptable and proactive to guarantee that only approved and trusted software can be run on a system
- Third-party application patching: Allows users to access their most vulnerable apps, including Acrobat Flash, Java, and multiple Internet browsers
- Remote patching: Users can patch remote devices regardless of the location or status
- Vulnerability detection and remediation for various OSes, including Windows, macOS, and Linux, as well as scan and report on AIX, CentOS, and HP-UX vulnerabilities
- Dashboard and reports to assess vulnerability and patch status
- Patch devices anywhere via Wake-On-WAN, booting, do-not-disturb events, and maintenance windows
- The reporting feature could be improved
- Steep learning curve
Ivanti Patch does not advertise pricing on its website, but we’ve seen subscription pricing starting in the $4 to $7 range depending on volume. Prospective buyers should contact the sales team to inquire about product options and receive a custom quote.
Red Hat Satellite
Best for Linux Environments
Red Hat Satellite is an infrastructure management product specifically designed to keep Red Hat Enterprise Linux environments and other Red Hat infrastructure running efficiently, with security, patching, and compliance. Patching is only one small part of a broader platform. But for those operating Linux environments, whether physical, virtual, or cloud, it will often make the shortlist.
Red Hat Satellite can help organizations track, manage, and deploy software updates across their environment and monitor, report on, and diagnose system issues. Red Hat Satellite can manage the life cycle of Red Hat infrastructure and configuration content such as Red Hat data services, virtualization, directory server, certificate system, OpenShift container platform and other software available as an RPM.
- Ability to define and manage SOE: Ensure SOE (standard operating environment) through security patching, updates, and enhancements
- Automated patch: Patch hundreds or thousands of systems at once
- Deploy and track Red Hat and third-party software: Deploy all Red Hat and third-party software via Satellite, which provides improved security and tracking of deployed systems
- Red Hat Satellite Capsule Server instances make this tool highly scalable
- Significantly improves system-to-administrator ratios by automating patch and configuration management, and provisioning
- It allows the admin to identify and quickly respond to vulnerabilities like Shellshock, Heartbleed, and GHOST
- The user interface can be made better
- Reporting features could be improved
Red Hat does not advertise pricing for its Satellite product on its website. Interested buyers should contact a sales representative in their region for custom quotes. Alternatively, potential buyers can fill out the contact form on the website, and a sales representative will get back to them.
Best for Remote Monitoring & MSPs
Kaseya VSA is a cloud-based Remote Monitoring and Management (RMM) platform designed to help IT service providers automate IT management and security processes across multiple devices in an organization. It provides an integrated view of the entire IT infrastructure and delivers actionable insights to help IT professionals proactively monitor and manage IT systems.
Kaseya VSA can help IT teams automate common IT management and security tasks such as patching, asset tracking, and audit and inventory. It also provides features such as remote access and remote control, policy-based scripting, and more.
Kaseya VSA is focused on the MSP market. The suite includes comprehensive IT management, IT automation, and security features. Security includes automated software patch management and vulnerability management, access control via 2-factor authentication, management of backups, and antivirus/anti-malware management from a single interface.
- Policy-based patch management: Simplify software maintenance with automated, standardized policies, streamlining patch deployment and approvals, scheduling, and installation
- Rapid distribution on and off-network: VSA’s agent endpoint fabric optimizes the delivery of installer packages, eliminating the need for centralized file share or LAN cache
- Scan and analysis: Schedule periodic network scans and analysis to automate software updates without user disruption
- Scheduling control: Its Blackout Windows allow users to suspend operation for a specified period
- Patch override: Deny a patch, KB (knowledge base), or block an update to specific machines, overriding the default patch classification
- Manage multiple devices, including mobile and business IoT
- Support various environments, including on-premise, cloud and hybrid
- Enhances threat detection with EDR, managed SOC, DDoS, WAF, AV and more
- VSA remotely connects and manages various devices, including printers, firewalls, switches, and routers, with one click
- Steep learning curve
- One user reported that the live connect feature infrequently disconnected
Kaseya VSA does not disclose pricing on its website, and potential buyers can contact sales for custom quotes. Those interested in the product can also sign up for a 14-day free trial to test out the product and get a better sense of how it works and what it offers.
Also see the Best Patch Management Service Providers
Best for Endpoint Management
IBM sold BigFix to HCL in 2019. The functionality still survives, although the patching side is largely buried among a huge list of other applications and features. HCL BigFix is an endpoint management platform that enables IT and security teams to automate discovery, management, and remediation, whether on-premises, virtual, or cloud—regardless of operating system, location, or connectivity. However, BigFix Patch is offered as a low-cost automated patching tool.
- Automate patching: Patches hundreds of thousands of endpoints regardless of type, location, connection, or status.
- Scalability: BigFix manages up to 300,000 endpoints per management server
- Visibility: Provides insight into patch compliance with flexible, near-real-time monitoring and reporting
- Unify patching: Patches almost 100 different operating systems and variants with one platform using HCL-provided content
- Allows patching across Windows, UNIX, Linux and macOS endpoints
- Remotely wipe a lost device
- Achieves 98% first-pass success rate
- Free trial up to one month
- Support could be improved
- Reporting functionality could be better
BigFix does not advertise pricing on its website, but BigFix Patch can be had for about $3 a client per year. Potential buyers can contact sales for custom quotes, and those interested in trying out BigFix can sign up for a free 30-day trial or book a free demo.
Micro Focus ZENworks Patch Management
Best for Endpoint Patching
ZENworks Patch Management automates the collection, analysis, and policy-based delivery of patches to endpoints. It provides pre-tested patches for more than 40 different Windows and non-Windows operating systems. It is part of the comprehensive ZENworks endpoint management suite and covers systems, applications, and devices across physical, virtual, and cloud environments.
- NIST-based: Uses the NIST common vulnerabilities and exposures (CVEs) database to identify and mitigate risk through manual or automated patch deployment
- Policy-based patching: Patching policies can automate patch delivery in defined maintenance windows once compliance rules are set
- Interactive dashboards: Allows users to customize their dashboards to track devices, individual CVE, or software patch status and trends
- OS and third-party apps: Patch Windows, Linux, and Mac systems. It also extends OS update management to iOS and Android with endpoint device management
- Easy to set up
- Automated job execution
- Scan schedule allows users to control scan time and frequency
- The user interface could be improved
- Users report that product updates and fixes take time
ZENworks Patch Management pricing is not published, so interested buyers should contact a sales representative.
Quest KACE Systems Management Appliance
Best for IT Asset Tracking
Quest KACE Systems Management Appliance is an IT systems management solution designed to help IT administrators to manage their entire IT infrastructure, from desktop to server, in an automated and secure way. It provides a platform for managing all aspects of IT, including patch management, software distribution, asset inventory, security, compliance, reporting and more. With this solution, IT administrators can quickly and easily deploy and manage IT systems, maintain compliance with industry standards and keep their IT infrastructure secure and up-to-date.
The Quest KACE Systems Management Appliance is another worthy contender, but it’s a broader endpoint management tool. It covers various endpoints, including laptops, servers, IoT devices, and printers. It goes beyond patch management to include service desk capabilities, server monitoring, and inventory and asset management, among other features.
- Inventory and IT asset management: KACE SMA provides hardware and software inventory for Windows, Mac, Linux and UNIX systems, as well as OS and hardware inventory for Chromebooks, using Google APIs
- Server management and monitoring: Easily configure and integrate KACE SMA’s server log monitoring for Windows, Mac, Linux & UNIX with their service desk and KACE Go mobile app. Expand capabilities with threshold monitoring for CPU, memory and disk metrics, plus monitor for requested applications.
- Patch third-party apps: Patch applications such as Microsoft Office, Zoom, and Adobe Reader
- Software license management: KACE SMA software license management lets users swiftly blacklist apps (like games or those with known vulnerabilities), blocking end users from running them and avoiding security or productivity issues. Generate reports to detect illegal apps, then uninstall them.
- Supports Windows, Mac OS X, Linux, UNIX, Chrome, iOS and Android
- Users find the scripting functionality valuable
- Software distribution is not available on UNIX platforms
- A user reported the KACE Go Mobile App is sometimes glitchy
Interested buyers should contact the sales team for quotes. They also offer a 14-day free trial.
Best for Remote Patching
SecPod SanerNow Patch Management is an automated security solution for businesses and organizations that helps protect against cyber threats. It provides continuous vulnerability assessment, asset discovery, patch management, and compliance reporting. It also features user access control, data protection, and threat detection and response capabilities.
SecPod SanerNow is designed to automate patching. From detection to deployment, it takes care of all aspects of patching on Windows. MAC and Linux, as well as third-party applications. Its pre-tested patches are made available within 24 hours of being released by the vendor.
- Compliance: Regulate devices with HIPAA, PCI, ISO, and NIST benchmarks
- Automate reporting and provides audit-ready reports: SanerNow offers automated, customizable asset reports for anytime audit-readiness, tracking and reporting IT asset metrics in real-time
- Endpoint health metrics: Allow users to monitor and assess over a hundred endpoint health metrics, such as settings and configurations, in real-time
- Control: Uninstall apps, block devices, start or stop services, apply security controls, configure kernel and firewall, deploy software, run scripts, and quarantine devices
- Asset discovery: Detect malicious or vulnerable assets across all enterprise devices with an IT asset discovery app, whitelist approved apps and blacklist malicious or outdated assets
- Supports all major OS platforms such as Windows, Mac, and Linux
- Supports over 400 third-party applications
- Allows role-based access control
- Its database contains over 160,000 vulnerabilities
- Users reported that the admin dashboard needs improvement
- Documentation could be improved
SecPod SanerNow pricing is not publicly available. Contact their sales team for quotes..
Best for Unified IT Management
NinjaOne (formerly NinjaRMM) can patch endpoints in large numbers. Its automated features can be set up based on the time to deploy or based on various categories. This application combines patching with remote control, scripting, and antivirus.
- Cross-platform: Patch Windows, Mac, and Linux servers, workstations, and laptops from a centralized platform
- Patch automation: Patch endpoints with zero-touch patch identification, approval, and deployment
- Networkless wake-for-patch: Automatically wake the device before patch scans and updates without the need for wake-on-LAN
- Patch reporting: Report on patch compliance status, failed patch deployments, and known endpoint vulnerabilities
- Unified management from a single pane of glass
- Efficient support team
- Advanced automation
- Reporting functionality could be improved
- Documentation could be better
NinjaOne uses a pay-per-device pricing model. Prospective buyers should contact NinjaOne sales for custom quotes.
What are Key Features of Patch Management Software?
Patch management tools need certain capabilities to be effective; here are some of those key features.
- Automation: Patching tools need to automate the process of installing multiple patches in a great many systems simultaneously.
- Patch testing and rollback: Patches from vendors should be tested before they are deployed. Left as an in-house function, this is often the bottleneck that prevents timely deployment of patches. Some vendors now offer testing as part of their service. And if a patch goes bad, a rollback feature returns the enterprise to the previous state.
- Cloud functions: Patching tools should at least be cloud-enabled if not cloud-based.
- Discovery: Detection of available updates based on inventory. The system should self-assess and offer guidance on what to install in which sequence.
- Prioritization: There are always more updates than organizations feel they can respond to effectively, so prioritization based on more than vendor severity is critical.
- Cross-platform support: Management of all endpoints from one centralized location, including cross platform support, for Windows, MacOS, and the many versions of Linux.
- Reporting: Most want to understand the compliance of their environment and see overall insights on patching needed to show that SLAs are being achieved.
How Do You Select Patch Management Software?
Choosing new or replacement patch management software can be challenging. Many vendors appear to offer similar features, and many are also part of larger IT management suites. Here are a few tips to ease the selection process.
- Cloud or on-premises: If the application is installed inside the corporate firewall, additional hardware and software may be involved. On-premises systems may struggle to patch devices outside the firewall.
- Maintenance & support: Some vendors charge extra for maintenance, others roll it into one SaaS price. And check support quality and any limitations.
- Bandwidth: It is important to test solutions to determine how much bandwidth a patch consumes. If a lot of systems are being patched, some tools can strain network capacity.
- Agents: Most patch management tools use agents to establish a connection between the endpoint and the management cloud/server. It is important to understand how the agent functions and to research any performance overhead it may create. Some poll the server every 60 minutes, which can delay the completion of urgent tasks. Others have an always-open connection.
- OS & app support: Check to see what operating systems the tool supports, whether Windows, Mac, or Linux, as well as cloud platform and application support.
Bottom Line: Patch Management Tools & Software
Patch management is not an optional cybersecurity practice, and the companies that are best at it perform patch management continuously. That’s not easy for a company that doesn’t have the staff or sophistication for an intensive process, so choose the patch management tool that best makes the job easier for your organization.
- Patch Management Best Practices & Steps
- Top Vulnerability Management Tools
- Top Breach and Attack Simulation (BAS) Vendors
Drew Robb contributed to this research report