We benchmarked four leading vulnerability management tools across 11 dimensions. The results reveal a market where “vulnerability management” means four different things to four vendors. Some build CVE-first detection pipelines; others track patch availability as a proxy for risk; one explicitly delegates scanning to third-party tools.
Vulnerability management benchmark results
ManageEngine VMP | NinjaOne | Automox | Action1 | |
|---|---|---|---|---|
Trial access | Self-serve, minutes | Sales-led, hours–days | Self-serve, 2FA + business email | Self-serve, minutes |
Detection latency | 5–6 min (manual); 90 min auto; ~25h new CVE feed | Inventory: 35s; CVE correlation: ~24h | No CVE detection | Windows ≤11 min; Linux: no CVE output |
Detection accuracy | NVD feed, independent of patch catalog | Patch-catalog only; trial CVE feed inactive | Patch-catalog only; LibreOffice + Firefox ESR blind spots confirmed | Windows: full CVE pipeline; Linux: version delta only |
Patch & remediation | 106,973 catalog; wizard with rollback + SSP | Policy structure present; deploy not tested (System Admin required) | Patch Tuesday-aware; CSV import from Qualys/Tenable/Rapid7 | 1-min deploy; P2P LAN; reboot orchestration; Windows takeover |
Alert & notifications | No outbound channel, SMTP absent at all layers | No Vulnerability category in Activities; VM generates no alerts | Multi-channel claimed; not verified in console | Email; single recipient only; silent suppression |
Endpoint footprint | 26 MB idle (spawn-on-demand) | 116 MB peak | 8.8 MB peak: lightest in group | 51.7 MB stable; 0.013% avg CPU |
Device type coverage | Windows + Linux + macOS; no mobile/virtual | Win/Lin/Mac + iOS/Android + Hyper-V/VMware + cloud monitor | Windows + Linux + macOS; no mobile/virtual | Windows + Linux + macOS; no mobile/virtual |
Key findings
- Automox and NinjaOne flag vulnerabilities based on patch catalog availability, not CVE-NVD version matching. If no update exists in their catalog for a software version, the tool reports “No Known CVEs” regardless of actual CVE count. LibreOffice 7.1.8.1 (100+ documented CVEs) and Firefox ESR 115.12.0 both returned “No Known CVEs” in Automox for this reason. ManageEngine and Action1 use independent CVE feeds and report vulnerabilities whether or not a patch is available.
- No tool detects software installed outside the package manager. Binaries extracted to
/opt/, compiled from source, or distributed by vendors outside their official package repositories are invisible to all four tools. ManageEngine and NinjaOne match CVEs for dpkg-listed packages. Action1 inventories dpkg packages but returns no CVE data for them on Linux. Automox has no independent CVE detection at all. - NinjaOne’s VM module does not generate alerts and has no report template. The alert framework lists 13 categories including Windows Patch Management, Bitdefender, and CrowdStrike. Vulnerability and CVE are not among them. The report catalog includes a 10-section Patch Compliance template but no equivalent for vulnerability management.
- Automox requires an external scanner to detect CVEs. The Remediations page imports CSV exports from Qualys, Tenable, Rapid7, or CrowdStrike, then matches those CVEs against its patch catalog. It performs no independent detection.
- ManageEngine and Automox have no outbound alert channel. ManageEngine has no SMTP configuration at any layer global settings, per-user preferences, or per-report delivery. Automox’s web documentation lists Slack, Teams, and webhook support, but this was not verified in the console during testing.”
- NinjaOne uninstalled Automox two minutes after installing on the same Windows VM. The Activities log recorded: “Software uninstalled: ‘Automox Agent’, User: System.” The uninstall was incomplete: the service registration and program files remained. On Linux, ManageEngine, Action1, and NinjaOne ran side by side without any agent removing another.
Metrics measured
Detection latency: A known-vulnerable binary was installed on a clean endpoint with the install completion timestamp recorded to the second. The clock stopped when the CVE appeared in the product’s vulnerability panel.
Detection accuracy: Software with well-documented CVE histories was installed across Windows and Linux via three paths: MSI/EXE (registry-tracked), dpkg (package manager), and vendor tarball extracted to /opt/ (outside the package manager).
Endpoint footprint: All measurements used pidstat at the process level to capture RSS (resident set size) per process, excluding cgroup-level page cache. Windows measurements used Get-Counter (\Process(*)\Working Set - Private) sampled every 5 seconds over a 10-minute window. ManageEngine’s spawn-on-demand scan engine was measured separately at idle and during an active scan. All four Linux agents ran concurrently on the same Ubuntu 24.04 host; Windows measurements were taken on a separate Windows Server 2022 VM.
Patch deployment: Deploy time was measured from UI confirmation to the product reporting completion. Post-deploy state was verified on the endpoint directly via Windows Update history to distinguish “binary written to disk” from “patch committed and active” a distinction that matters when a reboot is required to complete installation.
Trial access: Each trial was attempted with a Gmail address first, then with an institutional address where Gmail was rejected. Steps from landing page to a usable dashboard with agent installers visible were counted. Time from form submission to first connected agent was recorded.
Alert delivery: A custom alert rule was created in each product and triggered by a software install event. Delivery time and email content structure were recorded. Where alerts stopped firing, agent-side logs were inspected to identify the cause.
Best Vulnerability Management Tools
1. NinjaOne Vulnerability Management
NinjaOne is a UEM/RMM platform that added a VM module in March 2026. Its patch management is mature; the vulnerability detection layer is not.
Trial access: NinjaOne is sales-led. After submitting the trial form, the response was “We’ll contact you shortly.” Access came as a Technician added to a shared existing tenant (“Hiwell Test Org”) rather than a fresh isolated environment.
The onboarding screen immediately showed: “You do not have permissions to manage Devices. Please reach out to your System Admin for help.” Device deployment was unavailable under the Technician role.
Device coverage: The Add device menu covers more than any other tool tested: computers (Windows, Linux, Mac), mobile devices (Apple, Android), virtual infrastructure (Hyper-V, VMware), cloud monitors (ping, port scan, DNS, HTTP/HTTPS), and network discovery. No other tool in this comparison comes close.
Device detail: Each device has live hourly graphs for CPU, memory, disk, and network alongside a full hardware inventory.
The Details section enumerates open ports inline RDP on 3389, SMB on 445, and 10 others were visible without running a separate scan.
The Tools menu provides Remote Registry, Task Manager, File Browser, and Service Manager accessible from the browser, all live. Full remote desktop requires a separate native client download.
CVE detection: The software inventory picked up Firefox within 35 seconds. The Vulnerabilities tab showed 0 results at the 5-minute mark, the 30-minute mark, and the 3-hour mark, across both Windows and Linux devices and with all filters cleared. The agent-side CVE list file remained 44 bytes from install time through 5+ hours, unchanged.
Server-side CVE correlation was never triggered during the trial. Whether this reflects a trial tier restriction or a configuration requirement that was not met could not be determined. The Vulnerabilities tab populated with 85 CVEs approximately 24 hours after agent install, with the Sources column showing “NinjaOne Patching” the tool’s own patch catalog, not the NVD.
Alert integration: The policy Activities section lists 13 alert categories: Bitdefender, CrowdStrike, SentinelOne, Webroot, ImageManager, Backup, ShadowProtect, Software, System, User, Windows, Windows Patch Management, and Raid. There is no Vulnerability or CVE category. The VM module produces no alerts.
Reporting: The report template catalog includes a Patch Compliance template with 10 sections covering failed patches, pending patches, installed patch percentages, and OS patch enablement. There is no Vulnerability Management template.
Agent behavior toward other tools: NinjaOne registered on the test Windows VM. At 11:31, the Activities log recorded: “Software uninstalled: ‘Automox Agent’, Version: ‘2.5.70’, User: ‘<System>'” two minutes after registration, via an automated system action. The removal was incomplete; see Key Findings for details.
Endpoint footprint: Linux agent peak memory: 116 MB. Windows: four processes totaling approximately 127 MB working set, 92 seconds of CPU over three hours.
NinjaOne is a UEM/RMM platform that added a VM module. The agent’s software inventory layer works well; the CVE correlation layer depends on server-side processing that was inactive during the trial period.
Key differences:
- Software inventory is accurate and fast: Firefox 115.12.0 appeared in the dashboard within 35 seconds of installation
- CVE correlation was inactive throughout testing. The file
NinjaWPM-cve-patch-list.jsonremained 44 bytes for 5+ hours; the Vulnerabilities tab populated with 85 CVEs approximately 24 hours after agent install — inconsistent with the “real-time AI-powered” positioning - Broadest device-type support: Windows, Linux, macOS, iOS, Android, Hyper-V, VMware, cloud ping monitoring, and network discovery
- VM module generates no alerts (no “Vulnerability” category in the Activities alert framework) and has no dedicated reporting template
- On Windows, the agent removed Automox 2 minutes after installation via a Windows Server Policy rule, leaving orphan files; no equivalent behavior on Linux
2. ManageEngine Vulnerability Manager Plus
ManageEngine VMP is the only purpose-built vulnerability scanner in this comparison. Detection runs independently of patch availability; vulnerabilities are reported even when no patch exists.
Trial access. Self-serve, no sales contact required. The sign-up form accepts Gmail. After submitting, the dashboard loads immediately with a 30-day counter. A demo request modal appears but has a visible Skip button it is not a wall. The interface loads in Turkish based on the IP address, the only tool in this comparison with non-English localization. The EU-region instance is assigned automatically.
Onboarding: The Getting Started screen shows four workflow steps: Prerequisites, Patch Settings, Deployment, and Patch Management Workflow. Three of the four are patch-focused. The framing is detect-then-patch, not real-time detection.
Dashboard: Opens on a Vulnerabilities tab with a Vulnerability Age Matrix severity × age buckets showing how long findings have been open. A Latest Security News feed pulls live vendor security advisories into the right panel.
The Systems view left panel segments devices by operational state: Highly Vulnerable, Vulnerable, Healthy, Reboot Pending, Patch Deployment Failed, Systems without Agent Contact, EOL Systems, and Zero-day found. The device appeared in the list within seconds of agent install.
The initial scan runs in two passes. A banner confirms that limited results are shown first; the full scan completes within minutes. Missing patches climbed from 0 to 8 between the two passes.
Device detail: The device detail view covers more ground than any other tool tested.
The Summary tab shows four Threat Severity donuts side by side: Patch, Software Vulnerabilities, System Misconfigurations, and Web Server Misconfiguration. The vanilla Windows Server 2022 test endpoint showed 7 missing patches, 28 software vulnerabilities, and 54 misconfigurations.
The Software & Components tab lists each installed component with Missing Patches, Installed Patches, and Vulnerabilities counts per row. Windows Server 2022 itself carried 16 vulnerabilities; Curl for Windows, shipped with the OS image, not user-installed, carried 10.
The Vulnerabilities tab is a CVE-level list with Exploit Status, Patch Availability, CVSS 3.0 Score, Detected Version, Published Date, and Supported Date per row. CVSS scores ranged from 4.3 to 9.9 on the vanilla endpoint.
The Patches tab categorizes missing patches into Security Updates, Optional, Third Party, Driver, Service Pack, and BIOS, with Install/Publish Patches and Decline Patch actions inline.
The Security Config tab is a CIS/STIG-style hardening checklist. Each fixable row has a “Deploy Secure Configuration” link findings connect directly to one-click remediation. The test endpoint had 30 items, including TLSv1.1 enabled, BitLocker disabled, Windows Firewall not detected, account lockout thresholds unconfigured, and LAN Manager auth level misconfigured.
The Port Audit tab maps each open port to the responsible binary with full executable path. Port 3389 maps to svchost.exe, port 445 to ntoskrnl.exeChrome and Edge are listed separately on 5353.
Fleet-wide Threats view: The Threats nav covers eight sub-sections across the full fleet.
The Vulnerabilities and Detected CVEs views show CVSS 3.0 and CVSS 2.0 scores in parallel columns. The product preserves legacy CVSS 2.0 for organizations that still baseline on it.
System Misconfigurations aggregates hardening gaps fleet-wide with a “Deploy Secure Configuration” action per row.
High Risk Software tracks End of Life dates. Windows Server 2022 appeared with its EOL date of October 13, 2031, and a 1,990-day remaining counter.
Manage Exceptions allows specific threats to be accepted per device group. No exceptions were defined in testing; the infrastructure is present.
Patches section: Left sidebar shows live counts: Missing 9, Installed 3, Applicable 12, Supported 106,973, Latest 2,195. Each patch page has inline Quick Links with How Tos, Knowledge Base, and FAQ documentation embedded in the workflow rather than accessed separately.
The Supported Patches catalog covers 106,973 entries from Adobe, Microsoft, Mozilla, Splunk, Oracle, and others. The Latest Patches view shows 2,195 recently added entries sorted by release date. Decline Patch blocks specific patches per device group. Upload Pending accepts custom patches for software outside the catalog.
Patch deployment: The deployment wizard covers: Install vs Uninstall operation (rollback built in), Deploy directly vs Publish to Self Service Portal, deployment policy selector, “Force deploy after” date for SLA enforcement, and scoped targeting by Remote Office and individual computer.
A Defender definition update was deployed in the test, completed with Status: Succeeded and Remarks: “This version already exists.” The product detected that the patch had already been applied and did not reinstall it. Automatic retry on failure defaults to 2 attempts.
Agent fleet management. The Agent section shows fleet-wide agent health, including version currency, last contact time, AD sync status, remote office management, and inactive computer policy.
Endpoint footprint: Five processes at idle, combined idle RAM approximately 83 MB. The scan engine dcpatchscan spawns only during scans not visible at idle. During a scan, it consumed approximately 160 MB of RAM and 100% of one CPU core on Windows, compared to approximately 144 MB and 16% of one core on Linux. The spawn-on-demand design means idle footprint stays well below the continuous baselines of NinjaOne (116–127 MB) and Action1 (51 MB).
Detection latency: Manual Scan Now: 5 to 6 minutes. Automatic cycle: fixed at 90 minutes, not user-configurable. New CVE feed entries propagate in up to 25 hours (daily DB sync plus one 90-minute refresh cycle). The Admin > Agent Settings page has no refresh interval field; requests to add one have been open on the official forum without resolution.
Alert and notification: No outbound alert channel exists at any layer: no SMTP in Global Settings, no per-user notification preference, no report scheduling or email delivery. The Audit > Alerts page logs internal events (agent contact loss, failed patches, new endpoints) but cannot route them externally.
Reporting: 16+ predefined reports across six categories (Patch, System, APD, Configuration, SSP, Threat). No custom report builder. Column picker and filters available within predefined reports. No date range presets. Export: PDF, CSV, XLSX. A GDPR disclaimer modal requires confirmation before every export. No scheduled or emailed delivery.
Key differences:
- 11 modules in a single product: Vulnerability Assessment, Compliance, Patch Management, Network Device scanning, Security Configuration Management, Zero-Day Mitigation, Web Server Hardening, High-Risk Software Audit, Antivirus Audit, Port Audit, and Reporting
- 106,973-patch catalog; cloud and on-premises deployment options; EU-region SaaS instance
- Automatic scan cycle is fixed at 90 minutes and is not user-configurable (forum feature requests unresolved); new CVE feed takes up to 25 hours to propagate (DB sync + one refresh cycle)
- No outbound alert channel: SMTP is absent at every configuration layer
3. Automox
Automox is a patch automation platform, not a vulnerability scanner. Its vulnerability management capability is built around importing scanner output from Qualys, Tenable, Rapid7, or CrowdStrike rather than performing independent CVE detection.
Trial access: 15-day trial, no credit card required. Gmail is rejected a business email is mandatory. After submitting, the flow adds two extra steps before the dashboard: a separate login screen and mandatory 2FA via email. Password minimum is 12 characters, the strictest of the four tools. Single global instance at console.automox.com, no regional options.
Agent installation: The Add Devices modal shows the access key UUID, an OS dropdown, a Download Installer button, and the equivalent silent-install command line: Automox_Installer-2.5.70.msi ACCESSKEY=<uuid>. One binary, one key, the simplest install flow of the four tools tested.
The installer runs a post-install health check inline before closing: service start, daemon test, IRS (Installation Result Service) report. It does not close until it confirms “Configuration succeeded!” eliminating the ambiguity of whether the agent actually connected.
The device appeared in the Devices list within 1 to 2 minutes with a “Recently Added” tag.
Device detail: The device detail has four tabs: Summary, Health, Network, and System. No policy was assigned at install; the agent was registered to the Default group with no patch schedule attached. ManageEngine applies a default scan scope automatically; Automox requires explicit policy assignment before anything runs.
Software inventory and severity language: The device-level Software list uses Severity values borrowed from the Microsoft Update catalog: Critical, Unknown, or “No Known CVEs.” There is no NVD CVSS score. The Latest Version column is empty for all rows; Automox tracks whether an update exists, not the upstream version. Days Exposed measures how long a patch has been outstanding, not how long it has been since a CVE was published.
Dashboard: The main KPI is the Outstanding Patch Count matrix: severity rows (Critical / High / Medium / Low / Unknown) × age columns (90+ days, 61-89, 31-60, 16-30, ≤15 days). Device Troubleshooting flags: Needs restart, Failed update attempts, Disconnected 30+ days, Not compatible. No CVE count, no vulnerability severity score anywhere on the dashboard.
Policy architecture: Three policy types: Patch Policy (with sub-types Advanced, Patch All, Patch All Except, Patch Only, Manual Approvals, Severity), Required Software Policy, and Worklet. There is no Vulnerability Scan Policy or CVE-based policy type. The Schedule section offers a Patch Tuesday radio button that auto-aligns to Microsoft’s second Tuesday release cycle.
Worklet Catalog: Worklets are shell script templates for configuration tasks. Categories are System Preferences, Security, and Software Lifecycle. No Vulnerability category exists.
Remediations page: the core architectural signal. The Remediations page under Automate has one action: Import. The CSV Provider filter lists Generic Report, CrowdStrike, Qualys, Rapid7, and Tenable Vulnerability Management. The table columns are Patchable Vulnerabilities, Unmatched Vulnerabilities, and Unknown Devices. Automox maps a third-party scanner’s output against its own patch catalog and shows which CVEs it can remediate. It does not perform its own CVE detection.
Manage > Software: global fleet inventory. The fleet-level Software view adds a “Vulnerability or CVE-ID” filter, confirming CVE data exists in the system at some level. However, the Severity column still displays KB-meta categories, not CVSS scores. Days Exposed, Ignored, and Impacted columns are available for fleet-level triage.
Linux agent: The Linux agent inventoried 746 packages. The Software list shows Installed Version, Available Version, Days Exposed, Severity, KEV List, and EPSS columns. KEV and EPSS columns are empty for all entries; the columns exist in the schema but are not populated. Severity reflects the patch catalog signal, not NVD.
Patch-catalog blind spots: Firefox ESR 115.12.0 on Windows showed Installed 115.12.0, Available 140.10.2, Days Exposed 9, Severity “No Known CVEs” approximately 25 release versions and thousands of CVEs separate those two, but the catalog carries no CVE signal for that version gap. LibreOffice 7.1.8.1 on Linux (14 packages installed, 100+ documented NVD CVEs) showed all packages as “Installed” with Available Version empty and Severity empty. The vendor jumped from the 7.1 branch to the 24.x series, so no update entry exists in the catalog, and the tool returns no vulnerability signal.
Endpoint footprint: Linux agent peak: 8.8 MB, the lightest of the four tools tested, despite no marketing claim about footprint. Windows footprint was not measured: NinjaOne’s policy removed the Automox agent 2 minutes after NinjaOne registered on the same VM, so no Windows baseline was captured.
Key differences:
- Automate → Remediations: accepts CSV exports from Qualys, Tenable, Rapid7, CrowdStrike, or a generic format; maps CVEs to patchable items and shows Patchable vs. Unmatched counts
- Severity labels are borrowed from Microsoft Update catalog classifications (Critical / Unknown / No Known CVEs), not NVD CVSS scores
- Patch-catalog detection produces systematic blind spots: LibreOffice 7.1.8.1 and Firefox ESR 115.12.0 both returned “No Known CVEs” despite having hundreds of documented CVEs, because no catalog update exists for those version branches
- Lightest agent in the group at 8.8 MB peak on Linux — despite making no marketing claim about footprint
- Three policy types: Patch Policy (with Patch Tuesday-aware scheduling), Required Software Policy, and Worklet (shell/PowerShell script templates)
- Trial requires a business email address; Gmail rejected
4. Action1
Action1 is a cloud-native RMM with a capable Windows vulnerability pipeline. On Linux, it inventories packages and tracks version deltas but produces no CVE output. The two OS behaviors are architecturally different and need to be evaluated separately.
Trial access: Self-serve, Gmail accepted, no sales contact. After form submission, a confirmation code arrives by email; entering it lands directly in the dashboard with agent installers ready. No onboarding wizard, no trial request form, no waiting period.
Agent installation Windows: The installer is 6.9 MB and completes in 67 seconds. A confirmation email arrives immediately after, and the panel shows: “The agent has been successfully installed. Your endpoint is now connected to the Action1 cloud.”
Agent installation Linux: The Linux agent is 2.3 MB (.deb) and installs in 5 to 6 seconds via a single curl + apt command. The org ID is embedded in the package; no post-install configuration is needed. Three deployment paths are offered: Interactive (for first-time users), Unattended, and Direct. RPM is also available for Red Hat-family systems. After installation, the agent detected a pending kernel upgrade and correctly flagged the Linux endpoint as ‘Reboot Required’ reading distro-specific OS state rather than applying Windows logic to Linux.
Dashboard: Without any manual scan trigger, 114 vulnerabilities and 3 missing updates appeared within minutes of the Windows agent coming online. The dashboard centers on two triage widgets: a Vulnerability Remediation Compliance gauge with SLA bands (Critical: 1-7 days, High: 8-30 days, Medium: 31-90 days, Low: 90+ days) and a Vulnerabilities to Remediate Deadline Breakdown matrix showing severity × SLA overdue status. The same layout is repeated for updates. A free-tier marketing banner and social sharing buttons also appear on the dashboard.
Vulnerability list and CVE prioritization: The Vulnerabilities page shows CVE ID, CVSS Score, CISA KEV flag, Published Date, Remediation Status, Vulnerable Software (with full version path), and affected endpoint count. CISA KEV is a first-class column that surfaces CVEs that are actively exploited in the wild, a stronger triage signal than CVSS alone. EPSS is absent.
CVE detail panel: Each CVE opens a side panel with three tabs: Endpoints (affected machines with a Start Remediation button), Vulnerable Software (affected software by platform), and Details. The Details tab includes CVSS base score, Impact Score, Exploitability Score, CVSS sub-vector breakdown in human-readable form, Ransomware association flag, multi-source links (NVD, NVD++ via VulnCheck, vendor advisory), and an auto-calculated remediation deadline based on severity. Critical CVEs get a 7-day SLA; Medium-High get 30 days, calculated retroactively from the CVE publish date.
Detection latency: Firefox ESR 115.0esr was installed with a silent flag, and the install completion timestamp was recorded to the second. The agent uploaded the software inventory to the cloud at T+4 minutes 33 seconds; the cloud acknowledged 1 second later; the Vulnerabilities list was populated with Firefox CVEs within 11 minutes of install. The agent uses a 5-minute polling interval. The “real-time” marketing label is inaccurate; “near-real-time / 5-minute polling” is the correct description. No manual scan trigger is required, which differentiates it from scheduled-scan tools.
Linux CVE detection (absent): A deliberately vulnerable Firefox ESR 102.15.1 package (EOL since September 2023, 50+ unpatched CVEs) was installed via dpkg. The agent detected the install within 66 seconds and sent the correct version to the cloud. The cloud payload showed: "CVE": "", "Security Severity": "Unspecified". The Vulnerabilities page showed “No vulnerable software.” The same Firefox version on Windows produced 11+ CVEs with CVSS scores of 9.8 to 10. Action1’s Linux agent is a version delta tracker: it records installed version, latest version, and update availability, but performs no CVE database lookup for Linux packages.
Patch deployment: Two parallel flows exist. The vulnerability-driven flow goes: CVE detail > Start Remediation > 3-step wizard. Three strategies are available: Deploy Updates, Uninstall Software, and Document Compensating Controls. The third is notable; it allows documenting risk acceptance for software that cannot be patched. The update-driven flow via Update Approval adds LAN-based P2P file sharing for branch offices, reboot orchestration (automatic reboot with a configurable user-facing popup and timeout), and the option to disable Windows native updates entirely so only Action1-approved patches deploy. These capabilities exist only in the update-driven flow; the vulnerability-driven wizard does not offer them.
Patch deploy time for KB5082142: 1 minute from Run Now to Success status. However, “Success” in the automation engine means the binary was written to disk, not that the patch is active. Without a reboot, the Vulnerabilities page continued to show the patched CVE as Overdue because the OS had not yet committed the change. The automation engine labeled the operation a success; the vulnerability scanner continued showing the CVE as Overdue the correct behavior, since the patch requires a reboot to take effect. After reboot, the CVE was removed from the list.
Alerts and notifications: Alerts are built on top of reports: a user subscribes to changes (Created / Deleted / Modified) in a named report’s data. Alert emails arrive quickly and include structured fields: Vendor, Version, Install Type, and Installed For. The recipient field accepts one email address only; there is no Slack, Teams, or webhook channel. A silent suppression mechanism exists: after the Nth trigger of the same rule within a time window, the rule stops firing without any UI indication. The suppression state is visible only in the agent’s local log. Users waiting for alerts after the suppression threshold has been crossed have no way to discover the cause from the interface.
Endpoint footprint: Measured over 10 minutes during a Firefox install, scan, and alert evaluation cycle: average CPU 0.013%, peak CPU 1.56% at the moment the polling cycle fired, RAM stable at 51.7 MB with a 0.14 MB band across the full window, disk IO near zero except for brief scan cache writes. The “zero endpoint impact” claim is supported by the measurement. Heavy synthetic load testing was not run.
Reporting: The report builder offers two types (Summary with grouping, Simple for flat tables), a column picker, filter step, scheduled delivery, Subscribe, CSV export, and PDF export. Five built-in report categories include Vulnerability Management with five sub-reports: Select Vulnerabilities, All Critical Vulnerabilities, Documented Compensating Controls, Known Exploited Vulnerabilities, and Vulnerability Summary. All are current-state views. There is no built-in “Fixed CVEs Over Time” or “Patch History by CVE” report. A patched CVE is removed from the list; it does not move to a resolved state. Reconstructing which CVE was closed on which date requires cross-referencing Automation History manually, which itself has a history pollution problem from duplicate Run Now entries.
Key differences:
- Windows detection in ≤11 minutes from agent install (5-minute polling); install-to-cloud upload measured at 4 minutes 33 seconds
- CVE detail panel: CVSS + CISA KEV flag + Ransomware association + severity-based SLA (Critical 7 days, Medium/High 30 days, auto-calculated from publish date) + multi-source links (NVD, NVD++, vendor advisory)
- Linux agent: 2.3 MB .deb, installs in 5–6 seconds, systemd auto-enabled; RPM also available. Inventories dpkg packages in ~66 seconds but produces no CVE output agent payload returns
"CVE": "", "Security Severity": "Unspecified". Installing Firefox 102 EOL on Linux left the Vulnerabilities list empty. - Agent footprint verified by pidstat: 51.7 MB stable, avg 0.013% CPU, peak 1.56% during scan
- Alert notifications limited to a single email address; no Slack, Teams, or webhook; alert rules silently stop firing after N triggers with no UI indication
- Reporting: Custom Builder + 5 VM sub-report categories (Select / Critical / Compensating / KEV / Summary) + Schedule + Subscribe; no “Fixed CVEs Over Time” built-in report
Methodology
Endpoints: Windows Server 2022 Standard 21H2 (Build 20348.3207) and Ubuntu 24.04.4 LTS (kernel 6.8.0-111). All four agents ran concurrently on the Linux host. On Windows, NinjaOne and Automox were installed sequentially on the same VM.
Vulnerable software: Firefox ESR 115.12.0, 7-Zip 19.00, Edge 148 (Windows); Node.js 18.19.1, vsftpd 3.0.5, Apache 2.4.58, LibreOffice 7.1.8.1, /opt/firefox-115.0esr/ vendor tarball (Linux).
Measurement: pidstat (process-level RSS and CPU), Get-Counter (Windows performance counters), pywinrm and paramiko (remote command execution). cgroup-level metrics excluded to avoid page-cache inflation.
Scope: macOS excluded. Testing followed the sequence: trial onboarding → agent install → initial dashboard → device detail → policy/scan → vulnerability inventory → patch flow → alert config → endpoint performance → reporting.
SSS'ler
Vulnerability management tools detect software and OS vulnerabilities across managed endpoints, prioritize them by severity, and connect findings to patch workflows. The goal is to reduce the window between a CVE being published and the affected version being patched.
In practice, these tools differ substantially in how they detect vulnerabilities. Some query the NVD directly; others infer risk from patch catalog availability. This architectural difference determines what they can and cannot find.
Yorum yapan ilk kişi olun
E-posta adresiniz yayınlanmayacak. Tüm alanlar gereklidir.