Don't Just See CVEs — Close Them Automatically
Most scanners hand you a long list of open vulnerabilities and leave the patching to your team. Server Monitor closes the loop: detect, alert, remediate, report. Security updates are rolled out in a controlled way through a strictly allowlisted command chain — matched against a multi-source feed that includes the German BSI, with a complete audit trail.
The Problem: Detecting Vulnerabilities Is Only Half the Job
Classic vulnerability scanners are good at finding problems. What you get in the end is a list: "14 open CVEs on this server." What follows is manual work — someone has to review, prioritise, find a maintenance window, apply the update, and document that it happened. In teams without dedicated 24/7 ops staff, this step often gets stuck. The gap has been detected, but it is still wide open.
The more servers a company runs, the more untenable this manual patch cycle becomes. The dashboard flashes red, yet actual risk reduction only happens once a human takes action. It is exactly this gap between detection and remediation that Server Monitor solves differently.
The Closed Loop: Detect → Alert → Remediate → Report
Server Monitor automates not only detection but remediation as well. The Go agent captures pending updates, SSH hardening, firewall status, and kernel level, and computes a security score from them. Detected vulnerabilities can then be closed directly from the platform — in a controlled and traceable way.
Dry-Run First, Then the Real Update
Remediation runs through a deliberately narrow command chain. First, a dry-run transparently shows what would be patched without changing anything. Only on approval does the agent trigger the real `security_update`; a reboot happens only if it has been approved and falls within a valid maintenance window. The agent independently detects whether a restart is required.
Crucial for security: the agent executes nothing but a strictly defined allowlist of commands (`dry_run`, `security_update`, `reboot`). User input is never interpolated into system commands. This rules out remote code execution at the architectural level — the automation does not widen the attack surface.
Six Vulnerability Sources — Including the German BSI
The quality of remediation stands and falls with the quality of detection. Server Monitor matches the packages it finds against six sources:
- OSV — Open Source Vulnerabilities, the cross-source database for open-source vulnerabilities.
- NVD — the National Vulnerability Database as the international reference.
- Debian and Ubuntu — distribution-specific security trackers for precise package matching.
- CISA-KEV — the catalogue of known, actively exploited vulnerabilities.
- BSI — the feed of the German Federal Office for Information Security.
The dpkg-aware version comparison is optimised for Debian and Ubuntu. This multi-source matching improves hit quality and noticeably reduces false positives compared with tools that consult only a single database.
Every Step Logged Tamper-Proof
Every status change of a vulnerability is recorded in an append-only audit trail — entries can neither be overwritten nor deleted. "You have 14 CVEs" thus becomes not just "14 CVEs were closed," but a robust, auditable record: when each gap was detected, when it was remediated, and in which step. That is exactly what you need for security and compliance audits.
Planned downtime can be mapped through maintenance windows, so neither alerts nor reboots turn into false alarms or unwanted restarts. This keeps the Server Monitor automation predictable, even when it patches autonomously at night.
Vulnerability Management from the EU
Multi-source matching including the German BSI feed — your data stays within the European legal area.
