A modern patch state tracker, from the original creator of Shavlik patch management

Q: Is Senserva a Shavlik patch management alternative?

Siemserva complements your patch tooling, it does not replace it. The original Shavlik patch engines, now part of Ivanti, deploy patches. Senserva tells you the true patch and CVE state across your whole Microsoft estate and ranks what to fix first by real-world exploitation, using CISA KEV and EPSS, so the two work better together. Senserva also goes well beyond patch: it is an AI-native Microsoft 365 security platform with 650+ checks across Intune, Entra ID, and Purview, audit-ready HTML reports, and validated AI remediation through the Senserva MCP.

You knew Shavlik HfNetChk, also known as Shavlik NetChk, and NetChk Protect, and the term "Powered by Shavlik," because you needed to know one thing: what is actually patched. Mark Shavlik is the original creator of Shavlik patch management, and he and his team have built Senserva patch management, a modern patch state tracker for the Microsoft world. Think of it as a modern Shavlik patch scanner for Microsoft 365 and Windows: every device, every missing patch, ranked by what attackers are actually exploiting. See your real patch state in minutes.

See your patch state Register free, scan your own tenants

The Shavlik Security Patch Management booth at the RSA Conference, 2004

A note on the history: Mark sold Shavlik Technologies to VMware, and HfNetChk, also known as NetChk, and NetChk Protect now belong to Ivanti. That patch technology lives on and is still going strong, a market leader in patch management today, now delivered through Ivanti. Senserva is all new code, not the old Shavlik products, and it complements patch tooling rather than replacing it.

Try the new patch state tracker

Senserva tracks the patch state of your whole Microsoft estate and tells you what to fix first. It reads Microsoft’s own data, ranks missing patches by real-world exploitation, and refreshes every scan, so the picture is never stale.

Every device, one view

Patch state pulled straight from Microsoft Intune, Microsoft Defender for Endpoint (TVM), and Azure Update Manager, including Azure Arc machines, through Microsoft’s own APIs.

Missing patches, mapped to CVEs

Each missing update is tied to the CVEs it fixes and enriched with MSRC detail, so a KB number becomes a real risk you can explain.

Ranked by what is exploited

CISA KEV (known exploited) and EPSS (exploit probability) sit on top of CVSS severity, so you patch what attackers are using, not just what is oldest.

Always up to date

Refreshed with the latest CVE, KEV, and EPSS data on every scan. The tracker keeps pace with the threat, not last quarter.

Works with your patch tools

Senserva tracks and verifies, it does not deploy patches, so it sits alongside Shavlik and whatever you run as an independent double-check.

Ask in plain English

Query patch state and exposure from Claude through the Senserva MCP, or export an audit-ready, compliance-mapped report.

See the patch state tracker in depth

Explore the live patch and CVE data

Two free, searchable references built from the same Microsoft and CISA feeds the tracker uses, no sign-up.

Microsoft patch tracker

A searchable catalog of recent Microsoft security updates, newest first: each KB with the CVEs it fixes, the highest CVSS, and CISA KEV and ransomware flags. The public view of what the tracker watches across your estate.

Open the patch tracker

Microsoft CVE reference

Search Microsoft CVEs plus every actively-exploited CVE in the CISA KEV catalog (all vendors), each with CVSS severity, exploited and ransomware status, affected products, and a link to the patch that fixes it.

Open the CVE reference

Want this ranked across your own tenant? See CVE, patch and vulnerability management.

Powered by Shavlik: the OEM program that ran everywhere

Shavlik was not a niche tool, and "Powered by Shavlik" went a long way. Microsoft licensed Shavlik's HfNetChk engine to power the Microsoft Baseline Security Analyzer (MBSA). VMware acquired the company outright. And through the Shavlik OEM program, leading security and technology vendors integrated or rebranded Shavlik's patch technology inside their own products, often badged "Powered by Shavlik."

"Powered by Shavlik" is still in market today: the patch engine Mark sold lives on under Ivanti, which continues to use the line. Senserva is not affiliated with Ivanti and is not the old Shavlik products. It is all new code from Mark Shavlik, the original creator of Shavlik patch management, and his team, carrying that same "know exactly what is patched" idea into a modern Microsoft 365 patch and CVE tracker.

Microsoft (MBSA) VMware Symantec Sophos Juniper BMC Numara

Publicly documented Shavlik OEM alliance partners and acquirers. Trademarks belong to their respective owners.

Broader than a missing-KB list

The HfNetChk idea was always bigger than KBs: know what is actually patched, everywhere. The modern tracker covers the whole pipeline.

Per-device missing KBs and CVEs

Each missing patch per device with its CVEs, CISA KEV flags, and EPSS scores.

Windows Autopatch and WUfB audited

Autopatch assets, deployments, audience health, and reboot delays, plus feature, quality, and driver update policy audits.

Third-party software too

Defender Vulnerability Management recommendations cover the patches and configurations that never ship as Windows KBs, tiered by public exploits and active alerts.

Software inventory with CVE counts

Per-product CVE counts and exposed device counts from the Defender software inventory.

Devices nothing else sees

Entra-only unmanaged Windows devices surface with OS version and Defender coverage gaps, and per-device compliance reasons explain every failure.

What changed, and what it is worth

Intune change auditing over the last 30 days, and a Secure Score control breakdown flagging the controls that still carry points.

One tracker inside a full Microsoft 365 scanner

The patch state tracker is one part of Senserva. The same scan checks your configurations and reads your logs, because a missing patch matters more when the identity and access around it are weak. Patch and CVE capabilities are rolling out in phases, with more arriving in each release.

CVEs ranked by real-world risk

Every CVE enriched from NVD, CISA KEV, EPSS, and MSRC, with a deterministic triage order you can defend. CVE, patch and vulnerability management, or search the Microsoft CVE reference.

Drift that undoes your patching

Continuous detection when configurations slide away from your secure baseline between scans. Configuration drift management.

Every client tenant, one place

MSPs run the same patch and posture checks across every client, standardized. How we help MSPs.

Compliance evidence included

Findings mapped to the frameworks your auditors ask about, audit-ready on every scan. Compliance and frameworks.

Shavlik questions, answered

Is Senserva a Shavlik patch management alternative?

Senserva complements your patch tooling, it does not replace it. The original Shavlik patch engines, now part of Ivanti, deploy patches. Senserva tells you the true patch and CVE state across your whole Microsoft estate and ranks what to fix first by real-world exploitation, using CISA KEV and EPSS, so the two work better together. Senserva also goes well beyond patch: it is an AI-native Microsoft 365 security platform with 650+ checks across Intune, Entra ID, and Purview, audit-ready HTML reports, and validated AI remediation through the Senserva MCP. You bring your own AI model, ask plain-language questions about your patch and security state, and get a risk-tiered plan, not just a findings list.

What is the new patch state tracker?

Senserva tracks the patch state of your whole Microsoft estate. It reads Microsoft's own data through Intune, Defender for Endpoint TVM, and Azure Update Manager including Azure Arc, ranks missing patches by real-world exploitation using CISA KEV and EPSS, and refreshes on every scan.

What about SC Updates (SCUPdates) for third-party patch catalogs?

SCUPdates, also written SC Updates or sc updates, was the Shavlik third-party update catalog for System Center Updates Publisher (SCUP) and Configuration Manager, the way teams pushed non-Microsoft patches through SCCM and WSUS. It was built by the same Mark Shavlik team behind HfNetChk and NetChk Protect. Senserva does not publish an SCUPdates-style deployment catalog; it tracks and ranks the resulting patch and CVE state across Microsoft 365, Intune, Defender, and Entra ID. For third-party software, Defender Vulnerability Management coverage surfaces the patches and configurations that never ship as Windows KBs. See the live Microsoft patch tracker for current KB and CVE data.

See your patch state, free

Explore the patch state tracker and the full product on a rich, simulated tenant, no access to your environment needed, or register free and point it at your own: 3 tenants, up to 25 users each, in one verified scan. Welcome back, Shavlik customers.

See the patch state tracker

More about Senserva and Mark Shavlik · Microsoft CVE lookup and patch tracker · Senserva partners