Automox MCP 2.2: agentic patching with the guardrails on
Automox's MCP Server 2.2 lets agents write patch policies — with blast-radius previews and approvals first. That's the governance pattern to demand.
Agentic automation is finally reaching the boring, critical work — and patching is a good test case. Automox shipped MCP Server 2.2, letting an AI agent create endpoint patch policies from plain-language intent. The headline is "AI patches your machines." The part worth copying is everything the agent has to show you before it does: blast-radius previews, approval queues, and access reviews rendered right in the assistant. That ordering — propose, preview, approve, then act — is the pattern to demand from any agentic tool you let near production.
What actually happened
Per Help Net Security and Automox's release announcement, version 2.2 (July 7) adds three things to its governed agentic interface for endpoint operations. Agentic Patch-by-Severity policy creation: describe the intent — say, patch all critical and high-severity vulnerabilities — and the agent drafts the policy, instead of you building it by hand in the console. Interactive review surfaces: on MCP Apps–capable hosts, the assistant renders compliance posture, patch approval queues, policy blast-radius previews, remediation reviews, and RBAC access-certification — visually, not as a wall of text to parse. Live capability discovery: the agent sees what it's actually allowed to do based on read-only mode, module filtering, credentials, and opt-in safety flags.
It ships through PyPI, the MCP Registry, and a one-click Claude Desktop extension — the same open Model Context Protocol layer we keep pointing at as the standard agents connect through.
Why it matters for your business
Patching is exactly the kind of work you'd want automated: high-volume, unglamorous, and dangerous to skip — most breaches ride in on a vulnerability that had a fix available. But it's also work where a confident agent doing the wrong thing at scale is its own disaster; a bad policy can knock out every endpoint at once. So the interesting design choice here isn't the AI — it's that the risky action is gated behind a preview of its blast radius and a human approval. The agent proposes; a person with the right role signs off; then it executes.
That's the bar for letting agents touch anything real in your business, whether it's patching, refunds, inventory, or sending customer email. Read-only by default. A preview of what will change and how far it reaches. An approval step tied to who's actually allowed. A legible audit trail after. If a vendor's "agentic" pitch skips those and just promises the agent will handle it, that's not automation you can trust — it's a liability with a chat interface. We build agentic automation the governed way: scoped permissions, human-in-the-loop on the actions that matter, and a record of everything the agent did.
Key takeaways
- Automox MCP Server 2.2 (July 7) lets an agent draft patch-by-severity policies from plain-language intent
- The safeguards are the story: blast-radius previews, approval queues, and RBAC reviews render in the assistant before anything executes
- Live capability discovery means the agent only sees actions allowed by read-only mode, credentials, and safety flags
- Demand the same of any agentic tool: read-only default, change preview, role-based approval, and an audit trail — or don't let it near production
Thinking about letting an agent run real operations? We build agentic automation with the guardrails on — scoped permissions, human approval on the actions that matter, and a full audit trail. See how we build governed automation or tell us what you'd automate first.
Sources: Help Net Security, Automox / GlobeNewswire.
- #mcp
- #ai-agents
- #patch-management
- #governance
- #ai-automation
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
PraisonAI's CVSS-10 RCE: when your agent runs its own code
CVE-2026-61447 gives PraisonAI a perfect 10.0 — the framework runs LLM-generated Python unsandboxed, so one prompt injection becomes remote code execution.
Read itMistral's Leanstral 1.5 proves your code correct — for free
Mistral open-sourced Leanstral 1.5, a Lean 4 model that proves code satisfies a formal spec. Why verification, not generation, is the real AI-dev bottleneck.
Read it