Patch Manager (Concepts & Behavior)

Last updated: December 23, 2025

Overview

Patch Manager in Cyrisma is the platform’s primary remediation engine for addressing patchable vulnerabilities identified during scanning. It enables users to remediate risk by applying supported patches directly to endpoints through installed agents.

This article explains:

  • What Patch Manager is and is not

  • What types of patches Cyrisma can apply

  • How Patch Manager determines patch eligibility

  • How Patch Manager relates to scans and mitigation plans

  • Key limitations and design considerations

This article is conceptual and behavior-focused. Step-by-step usage and configuration are covered in dedicated Patch Manager and Auto Patching articles.

What Patch Manager Is

Patch Manager is a remediation mechanism that applies patches directly to endpoints based on scan results.

It is used to:

  • Patch supported third-party applications

  • Apply Windows KB updates

  • Remediate certain security configuration findings that are patch-backed

Patch Manager operates at the instance level and is available within each client instance. For MSPs, similar functionality is available centrally through the Centralized Vulnerability Manager (CVM), which is documented separately.

What Patch Manager Is Not

Patch Manager is not:

  • A scan engine

  • A mitigation tracking system

  • A reporting or governance tool

  • A replacement for mitigation plans

Patch Manager does not:

  • Modify historical scan results

  • Automatically close mitigation plans

  • Track remediation ownership or documentation

  • Perform rollback of applied patches

Patch Manager executes remediation actions only.

Supported Patch Scope

Third-Party Applications

Patch Manager supports patching for a defined set of third-party Windows applications detected during internal authenticated scans. Only applications explicitly supported by Cyrisma are eligible for patching.

If an application appears in scan results but is not patchable, it may still appear as a root cause but will not display a Patch action.

Windows Updates

Patch Manager supports patching for Windows KB updates where applicable.

Important behavior:

  • Windows patching relies on Windows Update data reported by the endpoint

  • Vulnerability scans may reference older or superseded KBs

  • Patch Manager always reflects the latest cumulative update required by Windows

As a result, a KB may appear in vulnerability results but not appear directly in Patch Manager if it has been superseded.

Unsupported Platforms

Patch Manager does not currently patch:

  • Linux operating system vulnerabilities

  • macOS operating system vulnerabilities

Linux and macOS root causes may appear for visibility but are not patchable through Cyrisma at this time.

Dependency on Scanning

Patch Manager is scan-driven.

Key requirements:

  • An internal authenticated vulnerability scan must complete successfully

  • The affected endpoint must be scanned by its own local agent

  • Patch data is populated only after scan completion

Root Cause Breakdown Behavior

Patch Manager organizes remediation opportunities using Root Cause Breakdown.

Root causes represent:

  • Patchable third-party software

  • Patchable Windows KB updates

  • Non-patchable operating system findings

Filtering behavior:

  • Third Party shows detected third-party applications, some of which may be patchable

  • Windows displays patchable KB updates and OS-level vulnerability root causes

  • Linux displays OS-level Linux root causes, not patchable

  • macOS displays OS-level macOS root causes, not patchable

The Patch action appears only when Cyrisma supports patching for that root cause and the scan data is eligible.

Scheduling and Execution Model

Patch Manager executes patches through the Cyrisma agent installed on the endpoint.

Key behaviors:

  • Patches can be scheduled manually or applied automatically through Auto Patching

  • If an endpoint is offline, the patch remains pending until the endpoint checks in

  • Pending patches do not expire unless manually canceled

  • Reboots may be required depending on the patch, but are not always necessary

Patch execution is logged and visible in Patch History.

Relationship to Mitigation Plans

Patch Manager and mitigation plans are intentionally decoupled.

Important distinctions:

  • Applying a patch does not update or close an existing mitigation plan

  • Mitigation plans are created from static scan results

  • Users must document remediation actions manually within mitigation plans

  • A new scan is required to reflect remediation outcomes

Patch Manager provides execution.
Mitigation plans provide tracking, ownership, and evidence.

This separation ensures audit integrity and prevents automatic assumptions about remediation completion.

Relationship to Suppressions

Patch Manager does not suppress findings.

Suppressions:

  • Remove findings from future scan results

  • Are time-bound based on system configuration

  • Represent risk acceptance, not remediation

Patching and suppression are separate decision paths.

Key Limitations and Design Considerations

  • Patch Manager cannot roll back patches

  • Patch eligibility is limited to supported software

  • Scan data must be current and agent-based

  • Patch Manager does not distinguish between servers and workstations for execution logic

  • Governance and documentation are handled outside Patch Manager

These limitations are intentional and align with Cyrisma’s separation of execution and governance.

Summary

Patch Manager in Cyrisma is a focused remediation engine designed to apply supported patches directly to endpoints based on scan data.

It:

  • Executes remediation actions

  • Depends on completed internal scans

  • Operates independently of mitigation plans

  • Does not provide tracking or audit documentation

Patch Manager is most effective when used alongside mitigation plans and regular scanning to ensure remediation actions are both executed and properly documented