Platform features

Built around what auditors and insurers actually ask for

Every feature exists because a real SMB asked "how do I prove this to my insurer?" or "what does my auditor need to see?" — not because a roadmap spreadsheet said so.

🔄 Patch Management

Patch rings & staged rollout

Deploy patches to a pilot ring first. Watch for regressions. Auto-ramp to production when the success threshold is met — or hold with a single click.

  • Ring-based staging — Canary, Early Adopter, Broad, and custom rings with configurable dwell time before auto-ramp.
  • Approval queue — Gate any patch behind a human sign-off (with step-up MFA) before it reaches production devices.
  • Maintenance windows — Schedule patch runs for off-hours by device group, ring, or individual hostname.
Patch Rings — Active deployment
🔬 Canary
3 devices · 72h dwell
PASSED100%
🚀 Early Adopter
24 devices · deploying
IN PROGRESS62%
🌍 Broad
187 devices · waiting
Waiting for EA threshold (80%)
🏭 Production
412 devices · queued
Queued
🔎 Vulnerability Management

CVE / KEV / CVSS vulnerability scanning

Continuous matching of your installed package inventory against NVD, CISA KEV, and CVSS v3 scores — with SLA tracking so nothing silently ages out.

  • KEV-first prioritisation — CISA Known Exploited Vulnerabilities are surfaced at the top with mandatory SLA timers.
  • Risk accept & expiry — Accept a risk with a justification and expiry date; an alert fires when acceptance lapses without remediation.
  • Vuln tagging & comments — Tag vulnerabilities for team triage, add commentary for auditor review, and export the full thread.
Vulnerabilities — Open 3 KEV
CVE-2024-21412CVSS 9.8 · KEV
Windows SmartScreen bypass · SLA: 2 days overdue
CVE-2024-30103CVSS 8.8 · KEV
Outlook RCE · SLA: 5 days left
CVE-2024-29988CVSS 7.4
SmartScreen filter bypass · SLA: 14 days left
+12 medium severityView all →
📋 Compliance

Compliance frameworks & evidence export

Map your patch and posture data to 6 frameworks: Cyber Essentials Plus, ISO 27001, SOC 2, HIPAA Security Rule, PCI DSS v4, and CISA BOD. Per-control evidence pulled from live device data, CSV-exportable in one click.

  • 6 built-in frameworks — CE+, ISO 27001, SOC 2, HIPAA, PCI DSS, and CISA BOD with per-control pass/fail status. CSV evidence export live for all 6. PDF evidence packs cover CE+/ISO/SOC 2 today; HIPAA/PCI/CISA PDFs land Q3 2026.
  • Cyber insurance readiness report — A single-page PDF formatted for the sections insurers ask about at renewal: patching cadence, vuln exposure, key escrow, MFA.
  • SIEM export (CEF / LEEF / JSON) — Push compliance snapshots and audit events directly to Splunk, QRadar, or any syslog target.
Compliance — Framework evidence
Cyber Essentials
94%
ISO 27001
87%
SOC 2 Type II
71%
Export PDF
All frameworks
🔒 Encryption

BitLocker & FileVault key escrow

Recovery keys are encrypted at the application layer with AES-256-GCM before they touch the database — so a DB dump alone reveals nothing.

  • Step-up MFA gated reveal — Retrieving a key requires a fresh TOTP/passkey challenge, logged to the audit trail with the requesting admin's identity.
  • Agent-delivered automatic escrow — The Windows agent reads the BitLocker recovery key locally and ships an encrypted copy on first check-in. Zero manual steps.
  • FileVault support coming in v1.1 — Same pipeline as BitLocker, extending to macOS FileVault recovery keys when v1.1 ships.
BitLocker Key Escrow 23/23 SECURED
DESKTOP-ACCT01
C: · Encrypted since 2025-11-03
🔑 Reveal key
LAPTOP-MKT02
C: · Encrypted since 2026-01-17
🔑 Reveal key
LAPTOP-FIN01
⚠ No key escrowed — BitLocker status unknown
Investigate
Step-up MFA required to reveal any key. All reveal events logged to audit trail.
🏠 MSP & Multi-Tenant

MSP portal & multi-tenant management

Manage all your client organisations from a single login. Hard data isolation between tenants — GDPR and DPA evidence is per-org, not shared.

  • Per-org billing & limits — Each client organisation has its own subscription tier, device cap, and audit log. You bill them; PatchPilot bills you.
  • MSP overview dashboard — Fleet-wide health, outstanding patches, and compliance posture across every client in one scrollable view.
  • Role-based access — Assign Viewer, Operator, Admin, or Owner roles per org. Restrict which MSP engineers can touch which clients.
MSP Overview — All clients
ClientDevicesPatchAlerts
Vehicle Data Global
47 94% 0
Apex Legal Services
83 81% 2 crit
Northgate Property
122 97% 0
📄 Audit & SIEM

Audit log & SIEM export

Every administrative action — patch approval, key reveal, role change, data export — is written to an immutable audit log with a UNION-ALL timeline view.

  • Unified timeline — Device events and admin actions merged in chronological order, filterable by user, org, and event type.
  • CEF / LEEF / JSON export — Pull audit events in any format your SIEM accepts. Splunk, QRadar, Microsoft Sentinel, and raw syslog all supported.
  • Retention up to 3 years — Business and Enterprise tiers retain audit logs for 3 years — long enough for most certification cycles.
Audit Timeline
BitLocker key revealed — DESKTOP-ACCT01
admin@company.com · Step-up MFA verified · 14:32:07
Patch ring approved — KB5034441 → Broad
ops@company.com · 13:11:44
Risk acceptance created — CVE-2024-29988
security@company.com · 30-day expiry set · 09:55:12
Compliance snapshot exported — ISO 27001
admin@company.com · 09:00:00
💻 Remote execution

Remote scripting & unattended agent

PatchPilot's SYSTEM-level agent runs even on locked and headless machines — no user session required. Paid tiers unlock remote PowerShell and Bash execution, just like Intune Remediation Scripts but without needing a Microsoft licence.

  • SYSTEM-level agent (Starter+) — The agent installs as a Windows SYSTEM service and Linux root daemon, so patch checks, scans, and commands fire regardless of whether anyone is logged in.
  • Remote PowerShell / Bash (Starter+) — Push arbitrary scripts to any managed device from the dashboard. Step-up MFA gated. Output streams back to the audit log. Replaces Intune remediation scripts for orgs without Microsoft 365 E3.
  • Free tier — user-session agent — The free plan runs the agent in the current user's session. Patching still works, but background and lock-screen operations require upgrading to Starter.
Remote Script — LAPTOP-OPS01
# Run on: LAPTOP-OPS01 | MFA verified ✓
Get-Service | Where-Object {
$_.Status -eq 'Stopped' -and
$_.StartType -eq 'Automatic'
} | Select Name, DisplayName
Output (2026-05-07 14:22:31):
Name              DisplayName
----              -----------
gupdate          Google Update Service
BITS              Background Intelligent Transfer
Exit code: 0
☁ Intune & Azure AD

Azure AD / Intune integration

Co-management mode: PatchPilot reads device state from Intune via Microsoft Graph and writes compliance signals back — so your existing Intune policies keep working.

  • Intune builder — Generate Intune compliance policies from PatchPilot posture data with a point-and-click interface. No JSON editing required.
  • ADMX / Group Policy templates — 12 CIS/NCSC/DISA configuration profiles ready to deploy without touching on-prem AD.
  • Add-on pricing — Intune integration is +£20/mo on any paid tier. Enterprise customers get it included in a custom contract.
Intune / Azure AD Integration
247
Intune synced
12
Policies deployed
4
Non-compliant
CIS Level 1 — Windows 11 ASSIGNED
NCSC Cyber Essentials baseline ASSIGNED
COMING SOON

What's next on the roadmap

These features are in active development. View the full roadmap →

🍎 Q3 2026

macOS Agent

Full patch management and compliance for Apple devices — Homebrew, softwareupdate, FileVault posture. Windows + Linux ship at v1.

📱 Q3 2026

iOS & Android Agent (BYOD)

Mobile estate inventory and basic policy enforcement for personally-owned devices. MDM management module builds on this in Q2 2027.

🌐 Q3 2026

SNMP Polling (v1.1)

Full SNMP polling for switches and routers — live port utilisation, bandwidth, uptime, SNMP traps. Network discovery and topology graph ship at v1.

☁️ Q3 2026

M365 SaaS Protection

Exchange, SharePoint, and OneDrive backup to BYO storage — point-in-time restore and retention reporting. File/folder backup to BYO ships at v1.

🧠 Q4 2026

AI Patch Advisor

LLM-generated risk summaries for each patch — severity, business impact, rollback risk. Competes NinjaOne AI and Atera Action AI.

🏢 Q4 2026

Customer Portal

End-users self-serve: submit tickets, view their device's patch status, request software, see audit data about their own laptop. White-labellable per MSP.

📋 Q4 2026

Documentation Module (IT Glue lite)

Per-client password vault, knowledge base, network diagrams, and runbooks. Competes IT Glue and Hudu.

🖥️ Q1 2027

Image-level Backup (Datto-grade)

Volume-level continuous backup with bare-metal restore to BYO storage. File/folder backup to BYO ships at v1. Competes Datto, Veeam, Acronis.

📱 Q2 2027

MDM — Mobile Device Management

Phones + tablets, device-level enrolment and MDM commands. Builds on Q3 2026 iOS/Android agent. Competes Jamf Now lite, Intune lite.

View full roadmap & vote on features →

Ready to close the evidence gap?

Join the early access programme — or start free with 25 devices, no card required.

Join the waitlist Join the waitlist