Server health and patch compliance, on one self-hosted dashboard.
RackWatch scores every host 0–100 — weighting CPU, memory, uptime, and unpatched CVEs. The first risk number that actually means "fix this now."
Self-hosted · Air-gap friendly · Open-source agent · No cloud telemetry
| Server | Status | CPU | Memory | Risk |
|---|---|---|---|---|
| db-primary | Critical | 94% | 91% | 92 |
| web-proxy-02 | Warning | 76% | 82% | 68 |
| app-server-01 | Healthy | 24% | 51% | 22 |
| app-server-02 | Healthy | 18% | 44% | 18 |
Running on our own hardware, 24/7.
Every release ships only after a week on the founder's own data-center home lab. The dashboard you see in the demo is real — it's the same instance that watches our infrastructure.
The only self-hosted dashboard that scores patch lag.
Other monitors tell you a server is healthy when it's two weeks behind on a critical CVE. RackWatch doesn't. Patch compliance is a first-class signal in the risk score — alongside CPU, memory, disk, and uptime — so green means actually safe, not just responsive.
Live fleet view
CPU, memory, disk, and last-seen status for every host. Updates every 60 seconds without refresh.
0–100 risk score
One number per server, weighting resource pressure, patch lag, reliability, and hardware age.
Patch compliance
Scans apt, yum, and Windows Update. Flags missing patches and maps them to CVE severity.
Slack and Teams alerts
Critical events fire instantly to the channel of your choice with hostname, reason, and context.
Daily PDF summary
A single morning email: fleet status, top risks, what changed overnight. Skim in thirty seconds.
Self-hosted by design
Your fleet data stays on your network. No third-party telemetry, no cloud egress, no vendor lock-in.
Patch lag, mapped to CVE severity.
The agent scans apt,
yum/dnf,
and Windows Update on each host, lists every pending package, and
cross-references it against distro security advisories (USN, DSA,
RHSA, MSRC) plus NVD and OSV as fallback. Critical CVEs typically
surface within hours of advisory publication — distro feeds push
fast; NVD lags a day or two.
The risk score weights patch lag alongside CPU, memory, and uptime — a server running clean but two weeks behind on critical security patches won't get a green badge.
Prometheus, Zabbix, and Netdata don't ship this. SIEMs and vuln scanners do, but they cost more than monitoring and live in a different tool. RackWatch puts both on the same screen.
No black box. Here are the weights.
SREs distrust composite scores by default — fair. So we publish the weights inline, not buried in docs. Four inputs, four percentages, one formula. Full breakdown, including how to tune them →
Resource pressure pulls hardest because saturation is an immediate outage. Patch lag is next — unpatched CVEs are the most common cause of compromise on internet-facing hosts. Reliability tracks restart and flap signal. Hardware age is a tiebreaker, not a verdict.
Runs without the internet.
Once the platform binary is on your network, no outbound egress is required. The agent talks to your platform — that's it. Patch databases (Ubuntu USN, Debian DSA, RHEL RHSA, Alpine secdb, Microsoft MSRC, NVD, OSV) can be mirrored offline; license keys for Enterprise tier are signed offline so there's no daily check-in either. Compliance teams: there's nothing here that needs egress whitelisting.
Why not just spin up Netdata or Prometheus?
Honest answer: if you have the time to wire YAML, write exporters, and tune dashboards, the open-source stacks are great. RackWatch is for teams who'd rather have a working risk score by lunch.
| RackWatch | Prometheus + Grafana | Zabbix | Netdata | Datadog | |
|---|---|---|---|---|---|
| Setup time | ~5 min — one binary, one curl | ~30-90 min for a small fleet — exporters, scrape configs, Grafana dashboards (much less if you've done it before) | Hours — server, agents, templates | Minutes — but per-host UI, no fleet view by default | Minutes — but cloud-only, $15/host |
| Config style | Opinionated defaults. No YAML. | YAML everywhere. Rules, alerts, scrape jobs. | Web UI + templates + macros. | Per-node config files. | Web UI. |
| Single risk score per host | Yes — 0–100, weighted | No — build it from PromQL | No | No | No (composite alerts only) |
| Patch compliance + CVE mapping | Built in | No — separate tool | No — separate tool | No | Add-on (Cloud SIEM) |
| Self-hosted | Yes — your hardware | Yes | Yes | Cloud or self | No — SaaS only |
| High-cardinality metrics | No — not the target | Yes — its strength | Limited | Limited | Yes |
| Cost — 25 servers | $50/month | $0 + your time | $0 + your time | $0 (Community tier covers it) | $375/month |
RackWatch isn't trying to replace Prometheus for high-cardinality time-series — pair them if you need that. It replaces the hand-rolled "is everything OK?" dashboard that every ops team builds twice and never finishes.
If you're evaluating Wazuh or osquery+Fleet instead
Security-conscious shops often look at SIEM-adjacent fleet tools for the patch-compliance angle. They're real tools and they're better at their actual job than RackWatch is — included here for honest positioning, not as a put-down.
| RackWatch | Wazuh | osquery + Fleet | |
|---|---|---|---|
| Primary use | Server health + patch lag with composite risk score | SIEM — log analysis, HIDS, file integrity, compliance frameworks | SQL queries across fleet inventory and OS state |
| Setup time | ~5 min — one binary, one curl | Hours to days — manager, indexer, dashboard, agents | Hours — osquery agents, Fleet server, TLS |
| Composite 0–100 risk score | Yes — transparent weights | No — alerts + severity tags | No — you write SQL |
| Patch compliance dashboard | Built-in, default view | Vulnerability detection module — raw findings | Query os_version, apt_sources, windows_security_products tables |
| Resource footprint | ~30 MB single binary | Multi-component, GB-scale on the manager node | osquery is lightweight; Fleet adds a server + DB |
| Cost — 25 servers | $50/month | $0 (open source) | $0 (Fleet Free) · Fleet Premium starts $7/host/month |
If your team has the operational budget for a SIEM and you treat patch compliance as a security workflow, Wazuh is the right call. If your fleet is a query target and you're happy writing osquery SQL, Fleet is excellent. RackWatch is for the case where neither of those is what you want — a clean server-health dashboard with patch lag in the score, not a SIEM and not a query engine.
Running in under five minutes.
Free up to 5 servers, forever. Above that, $2/server/month — license keys are emailed within seconds of subscribing on the pricing page. Volume pricing for 100+ servers; email us for annual billing or anything custom.
Before you install
Does the agent need root?
Yes — it reads /proc, /sys, and runs smartctl and dmidecode for hardware ID and patch enumeration. The agent source is on GitHub — audit before running it.
Does anything phone home?
No. Agents only talk to the platform address you configure at install. No analytics, no error reporting, no third-party telemetry. License keys are offline-verified ed25519 tokens — the platform doesn't phone home, even on paid tiers. Verify it yourself.
Which OSes does the agent support?
Ubuntu 20.04+, Debian 11+, RHEL 8+, CentOS Stream, Rocky, Alma, and Windows Server 2019/2022/Win11. The agent is a self-contained ~30 MB binary — no runtime to install, no containers required. We chose .NET 8 for a single codebase that behaves identically on Linux and Windows hosts; for mixed fleets that's the entire point. Linux/amd64 + linux/arm64 published natively.
More questions on the contact page.