Mark Shavlik: modern patch, CVE, and vulnerability management for Microsoft 365, from the HfNetChk and MBSA creator

Thank you for all the support over the years with HfNetChk, the Microsoft Baseline Security Analyzer (MBSA), SCUPdates, and more, and thank you to all the past, present, and future OEM partners and users who have built on the things I created. And welcome to all the patch vendors that came after me, I look forward to working together.
Mark Shavlik, Founder & CEO, Senserva.

The advanced Patch Trackers

Every Microsoft update, ranked by what attackers are actually exploiting, not just by age or raw CVSS. The Patch Tracker reads Microsoft's own data, ties each missing KB to the CVEs it fixes, and weights the whole picture by CISA KEV and EPSS. Please take a look!

Microsoft: unpatched risk
Severity, KEV, and ransomware weighted, a running total.
Click for full details
Microsoft: open patches by Severity
Critical, High, Medium, and Low, in brand Severity colors.
Click for full details
Microsoft: CVEs added per month
Cyan is CVEs added; yellow is the share actively exploited.
Click for full details
Microsoft: open risk by product family
Severity, KEV, and ransomware weighted, last 12 months.
Click for full details
Non-Microsoft: exploited CVEs per month
From CISA KEV; red marks the ransomware-linked share.
Click for full details
Non-Microsoft: most-exploited vendors
Count in CISA KEV; red is the ransomware-linked share.
Click for full details

Shavlik questions, answered

Is the Shavlik scan now part of Ivanti, and who builds it today?

If you came here searching for a Shavlik scan or the Shavlik patch scanner, here is the short version. The original Shavlik scanning engine, HfNetChk, grew into NetChk Protect and SCUPdates. Shavlik Technologies was acquired by VMware in 2013, and the Shavlik patch products are now part of Ivanti. The Shavlik name and those products belong to Ivanti today.

I am Mark Shavlik, the person who created that first scanner. The work here is all-new code under my own name at Senserva: a modern scan of the patch and CVE state across your Microsoft 365 estate, Intune, Defender for Endpoint, and Azure Update Manager, ranked by what is actually being exploited using CISA KEV and EPSS. It is not the Ivanti product, and it does not deploy patches. It tells you what is missing and what is exploited, then sits alongside Intune, Ivanti, or your RMM.

Can I get a Shavlik scan from Mark Shavlik?

Yes. As the creator of HfNetChk and the basis for the Microsoft Baseline Security Analyzer (MBSA), I now offer a modern scan at Senserva: it reads the patch and CVE state across Microsoft 365, Intune, Defender for Endpoint, and Azure Update Manager, and ranks what to fix first by CISA KEV and EPSS.

Is this the old Shavlik patch products?

No. The original Shavlik engines (HfNetChk, NetChk Protect) went to VMware and now live on through Ivanti for patch deployment. The patch lineup here is all-new code from Mark Shavlik and his team, focused on the modern problem: knowing the patch and CVE state across a cloud-era Microsoft estate and ranking what to fix first by real-world exploitation.

Does it deploy patches?

No, not yet. We are focused on supporting compliance, which requires solid patch management first: knowing the patch and CVE state and ranking what is actually exploited. The Patch Tracker and CVE tools do that today, and sit alongside whatever you deploy with (Intune, Ivanti, your RMM).

What happened to Shavlik patch management?

Mark Shavlik founded Shavlik Technologies, which built HfNetChk, NetChk Protect, and SCUPdates. The company was acquired by VMware in 2013, and those patch products are now part of Ivanti, still a leader in patch deployment. Mark and his team now build Senserva, a modern Microsoft 365 security and patch-intelligence platform.

Who is Mark Shavlik?

Mark Shavlik is the founder and CEO of Senserva. He was an early engineer on the Microsoft Windows NT kernel team, then founded Shavlik Technologies, where he created HfNetChk, the hotfix and patch scanner that became the basis for the Microsoft Baseline Security Analyzer (MBSA).

What were HfNetChk and MBSA?

HfNetChk was the Shavlik network hotfix checker that scanned Windows machines for missing security patches. Microsoft licensed the engine as the basis for the Microsoft Baseline Security Analyzer (MBSA). Both are retired today; the modern equivalent for Microsoft 365 is Senserva's patch and CVE intelligence, ranked by CISA KEV and EPSS.

What is a modern Shavlik patch management alternative for Microsoft 365?

Senserva's Patch Tracker and CVE and vulnerability management read the patch state across Microsoft Intune, Defender for Endpoint, and Azure Update Manager, and rank what to fix first by CISA KEV and EPSS. The non-Microsoft tracker covers the exploited Citrix, Fortinet, Ivanti, and Apache flaws Microsoft's Update Guide leaves out. It complements Ivanti and your RMM rather than replacing them.

Does Senserva do patch management for Microsoft 365?

Yes. Senserva tracks and ranks the patch and CVE state of your Microsoft estate, through the Patch Center, the Patch Tracker, the non-Microsoft exploited-CVE tracker, and CVE management. It does not deploy patches yet; it tells you what is missing and what is actively exploited, then sits alongside your deployment tooling.

See your patch state, free

Open the live Patch Tracker now, or register free and point Senserva at your own tenants: 3 tenants, up to 25 users each, in one verified scan. Welcome back, Shavlik customers.

Open the Patch Tracker Scan your tenants, free

More about Senserva and Mark Shavlik  ·  CVE and vulnerability management  ·  Senserva partners

See patching in action

A short walkthrough of Senserva patching for Microsoft 365.

Open the watch page for this video, or see all Senserva videos.

The Shavlik Security Patch Management booth at the RSA Conference, 2004

Always good to remember the old days!