Let's take a look at some of the top patch management options out there. These solutions were chosen based primarily on the most recent Gartner Magic Quadrant for Client Management Tools.
Gartner noted that BMC, Hewlett Packard Enterprise (now Micro Focus) and Red Hat tend to treat patching as one aspect of managing the overall server life cycle, as opposed to having a tight focus on PCs, laptops and other similar endpoints. Multiplatform server and desktop-focused patching vendors include IBM, Ivanti, Verismic and Kaseya. For the patching of non-Microsoft applications, a major patch management pain point, Ivanti, Flexera and SolarWinds are noted as strong by Gartner analyst Terrence Cosgrove.
Get a free trial of Qualys' top-rated cloud security platform for finding and patching vulnerabilities across the cloud, on premises and mobile devices.
These are not rigid categories. There is plenty of overlap between them and vendors are steadily introducing new capabilities that blur such divisions.
- Product features comparison chart
- SolarWinds Patch Manager
- Flexera Corporate Software Inspector
- IBM BigFix
- Ivanti Patch
- Red Hat Satellite
- Kaseya VSA
- Micro Focus ZENworks Patch Management
- Verismic CMS Patch Manager
- BMC BladeLogic Server Automation
- KACE Systems Management Appliance
SolarWinds Patch Manager can automate the patching of Microsoft Windows servers and workstations for both Microsoft and third-party products. It includes a catalog of updates for products such as Google Chrome, Mozilla Firefox and Java. It requires the use of either Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).
See our in-depth look at SolarWinds Patch Manager.
SolarWinds Security Event Manager is a low-cost, feature-rich Security Information and Event Management (SIEM) system that can detect and respond to threats across your entire infrastructure from a single tool.
Flexera continuously identifies vulnerable applications and applies security patches. It leverages verified vulnerability intelligence to assess over 20,000 applications, drives patch prioritization based on criticality of vulnerabilities and security policies, provides tested patch packages for non-Microsoft applications, and integrates with management tools for patch deployment.
See our in-depth look at Flexera Corporate Software Inspector.
IBM BigFix is a collaborative endpoint management and security platform for IT infrastructure and security professionals. It provides real-time endpoint data that can re-image remote devices, distribute and patch software, discover and inventory new assets, assess application usage, and monitor and enforce compliance polices across many types of devices using multiple versions of Windows, Mac and Unix OSes and apps.
Ivanti provides several patch management options for Windows, Linux, Unix and Mac and an extensive third-party catalog of software updates. Some came from Landesk, some from Shavlik, Heat, and a long list of other acquired companies.
See our in-depth look at Ivanti Patch.
Red Hat Satellite is a Linux server management product that helps users control and optimize the lifecycle of Linux operating systems. It works in conjunction with Red Hat Insights, a configuration assessment service that analyzes system configuration state to identify performance, stability, or security risks.
See our in-depth look at Red Hat Satellite.
The Kaseya VSA Software Management module is a patching solution for Mac and Windows operating systems as well as a way to deploy hundreds of third-party software titles. It uses peer-to-peer technology to distribute patches to reduce bandwidth requirements.
See our in-depth look Kaseya VSA.
ZENworks Patch Management was inherited from HPE and Novell. It is an automated patch management solution that retrieves and deploys patches. It automates the collection, analysis, and policy-based delivery of patches to endpoints. It provides pre-tested patches for more than 40 different Windows and non-Windows operating systems.
See our in-depth look at Micro Focus ZENworks Patch Management.
Patch Manager is included in the Verismic Cloud Management Suite. It automatically keeps desktops, laptops and remote users up-to-date with security patches and software updates. A subscription includes patching for Microsoft, Linux and third-party vendors.
See our in-depth look at Verismic CMS Patch Manager.
Patching is a subset of the capabilities of BladeLogic, which also include provisioning, compliance, configuration management, and software deployment. It is normally offered as a platform, but there are options to purchase only the patch capabilities if required. Further features include the ability to stage and test patches before committing them, integration with service desk change management systems, and add-on SaaS services that enable vulnerability management and remediation.
The KACE Systems Management Appliance offers patch and endpoint management and security and can patch up to 20,000 machines in four hours. Endpoints are automatically discovered and provisioned by vendor, operating system, department, and location.
See our in-depth look at the KACE Systems Management Appliance.
Top Patch Management Providers
|SolarWinds||Microsoft Windows servers and workstations for both Microsoft and third- party products||Patch Manager is deployed in a wide range of environments ranging from dozens of nodes to several thousand||N/A||Windows application||Patch Manager is licensed on a per node basis,starting at $3,617 for up to 250 nodes (license with first-year maintenance)|
|Flexera||North America, and Europe.||Used to discover, verify,validate and document vulnerabilities in over 55,000 products||Uses Vulnerability Intelligence by Secunia Research||On-premises,virtual appliance and cloud||Pricing is per device, with no minimum number of devices|
|IBM||BigFix is used by thousands of organizations of all sizes||First query results are returned within 15 seconds,with full query on 120,000 nodes returned within 5 minutes||An intelligent agent ensures that decision-making and calculations are performed at the endpoint rather than in the network||On premises||BigFix starting prices range from $2.49/client device/year to $43.80/client/device per year depending on version and features|
|lvanti||SMB to large enterprise||N/A||Patch catalog updated twice weekly,plus Zero Day support with out of band releases for critical security updates||On premises, virtualized or cloud||lvanti standalone solutions are priced at $65 per server or $30 per workstation. Integrated solutions start at $9 per endpoint for perpetual or $5 per endpoint for subscription|
|Red Hat||Enterprise computing, server provisioning, configuration,and patch management of Linux systems||N/A||A l-based predictive analytics from Red Hat Insights||On-premise software (Satellite), Software-as- a-Service (Insights)||$192/$199 per managed server for SateIIite/lnsights, respectively|
|Kaseya||MSPs and mid-market enterprises||Kaseya manages over 10 million endpoints with its management, monitoring and patching solution||Endpoints can securely share patches for rapid deployment without the overhead of huge patch downloads over the internet||On-premises or cloud||$0.50/endpoint/month|
|Micro Focus||SMEs to large enterprises||More than 10,000 pre-tested patches for more than 100 major current and legacy applications and operating systems||Automatic patch deployment based on pre-defined policies||Software or virtual appliance||No pricing data available|
|Verismic||SMBs to enterprises, as well as MSPs||Verismic has deployed over five million patches globally||Automatically discovers network devices,and predictive patch management prioritizes patching and threat remediation||Software as a Service||Subscription based|
|BMC||Targets include larger enterprise customers with complex patching and security needs||BMC BladeLogic supports some enterprises with more than 150,000 servers under management||Provides operational context to security scans||On-premises solution, though there are also customers running BladeLogic inside of AWS and Azure||No pricing data available|
|Kace||Mid to large enterprises, including regulated industries||Patches up to 20,000 machines in four hours; solution includes endpoint management||Detects missing patches; can be scheduled at least disruptive times||Hardware,virtual appliance,and 'as a service'||No pricing data available|