Can Pareto Security scan my remote Linux servers?

No. Pareto's checks read local macOS system state and are macOS-only by construction; they can't run against a remote Ubuntu, Debian, or Rocky host. Noxen is built for exactly that case — it connects over your existing ~/.ssh/config and inventories each remote host without installing an agent.

Does Noxen install an agent on each server like Pareto installs on each Mac?

No. Pareto runs as a local app on each Mac it checks. Noxen is agentless: it runs only on your Mac and reaches every host over SSH, so there is nothing to deploy, update, or uninstall on the servers themselves.

How much does Noxen cost compared to Pareto Security?

Pareto Security is free and open-source for personal use on your own Macs, with a paid Teams plan for centrally monitoring a fleet of Macs. Noxen is free for 3 hosts, $79 one-time for 25 hosts and scheduled scans, and $19/mo for the daily Live Feed and webhooks. Neither tool uses per-host enterprise pricing.

Noxen vs Pareto Security

Q: Is Noxen a replacement for Pareto Security?

No. The two tools check different machines. Pareto Security audits the local Mac's own posture (FileVault, firewall, screen lock, automatic updates) through macOS APIs. Noxen audits remote Linux hosts over SSH (installed-package CVEs, TLS, exposed admin surfaces). If you run Pareto on your laptop today, keep it — Noxen covers the boxes Pareto can't reach.

Pareto Security is the friendliest security tool on the Mac: it lives in the menu bar, shows a plain list of checks with green and orange bullets, and never asks you to learn a dashboard. Noxen is built in that same spirit — no SaaS, no per-seat pricing, Mac-native — but it points at a different machine. Pareto hardens the Mac in front of you. Noxen audits the fleet of Linux boxes you only ever see over SSH. They overlap in philosophy and almost nowhere in scope, which is exactly why a lot of homelabs end up running both.

What Pareto Security is

Pareto Security is an open-source macOS app that checks whether the Mac it runs on is configured the way a security-conscious person would want it: FileVault on, firewall enabled, screen lock with a short grace period, automatic updates turned on, no unexpected sharing services, Gatekeeper intact. Each check is one line with a pass/warn state and a short explanation of how to fix it. It runs locally, quietly, in the menu bar, and there is a paid Teams plan for organisations that want to monitor a fleet of Macs centrally. It is, deliberately, an endpoint-hardening checklist for Apple hardware — and one of the best examples of that genre.

The reason it stops at the Mac is structural, not a missing feature. Pareto's checks read local system state through macOS APIs — SMAppService, TCC, system_profiler, the system trust-evaluation APIs. None of that exists on a remote Ubuntu host, and none of it can be reached over SSH. The tool is macOS-only by construction.

When Pareto Security is the right choice

You want to harden the Macs themselves. FileVault, firewall, screen-lock policy, Gatekeeper, automatic updates — these are local-machine posture checks Noxen does not perform. Pareto is the right tool for the laptop on your desk.
Your fleet is Macs, not Linux servers. A design studio, an Apple-heavy startup, a family of MacBooks — Pareto Teams is built to watch a roomful of Macs. Noxen scans Linux / Unix / BSD over SSH and does not audit macOS endpoints.
You want a menu-bar agent that checks continuously. Pareto is resident on each Mac and re-checks on its own schedule. Noxen is a control-plane app you point at remote hosts; it does not sit in the menu bar of every machine it inspects.
You don't have remote Linux hosts at all. If everything you own is the Mac in front of you, Pareto already covers it. Noxen only earns its place once you have boxes behind ~/.ssh/config.

When Noxen is the right choice

The machines you worry about are Linux, and remote. VPSes, Raspberry Pis, Proxmox nodes, a NAS, the one mystery box that's definitely running something. Pareto can't reach them; Noxen is built for exactly this.
You want CVE matching, not just config checks. Noxen inventories installed packages (dpkg -l / rpm -qa / apk info), normalises each to a CPE 2.3 string, and matches it against a signed CVE feed sourced from VulnCheck NVD++ and OSV.dev. Pareto's remit is local hardening state, not installed-package vulnerabilities.
You want network posture across the fleet. TCP port scan, TLS certificate and cipher audit, HTTP security-header probe, and exposed admin-surface detection for ~70 services (Grafana, Portainer, Pi-hole, Proxmox, unauthenticated Redis / Mongo / Elasticsearch, leaked .git/config and .env files, and more).
You want the diff, not the full report. Noxen defaults to what changed since yesterday — new CVEs, config drift, newly exposed services — and keeps the full inventory one click away.
You want it agentless. Nothing to install on the servers. Noxen runs on your Mac and reaches each host over the SSH keys you already have. Scan data stays in a local store on your Mac; Noxen's only servers host the signed CVE feed.

The short version of the positioning: Noxen is Pareto's philosophy for the boxes you SSH into — same Mac-native, no-SaaS, honest-pricing shape, pointed at remote Linux instead of the local Mac.

Side-by-side

	Pareto Security	Noxen
What it checks	The local Mac's own posture	Remote Linux/Unix hosts over SSH
Platform	macOS app (menu bar)	macOS 26+ native app (control plane)
Deployment	Installed on each Mac it checks	Agentless — runs only on your Mac
Core checks	FileVault, firewall, screen lock, updates, sharing, Gatekeeper	Package CVEs, TLS, ports, HTTP headers, exposed admin surfaces
CVE matching	No (config posture, not packages)	VulnCheck NVD++ / OSV, signed, daily on Live Feed
Fleet model	A fleet of Macs (Teams plan)	A fleet of Linux hosts (3 → 500)
Pricing	Free & open-source personal; paid Teams plan	Free (3 hosts) / $79 one-time / $19/mo / $149/mo
Data	Stays on the Mac; no SaaS for personal use	Stays on your Mac; servers host only the CVE feed
Best for	Hardening the Macs you own	Auditing the Linux boxes you SSH into

Do you need both?

For most homelabs and small ops teams, yes — and not as a compromise. The two tools answer different questions. Pareto answers "is the Mac in front of me configured safely?" Noxen answers "what is the security posture of every remote box I own, and what changed on them overnight?" Run Pareto on your laptop(s); run Noxen against the fleet. Together they cover the gap most self-hosters actually have — full visibility across every machine you own, without a SaaS running in the background or a per-device bill. Neither tool tries to be the other, and neither asks you to ship your data off the Mac to get the answer.

One thing Noxen deliberately does not do, in the same spirit as Pareto: it flags exposed admin surfaces but never tries default credentials against them. Detection, not intrusion — we explain why here.

Frequently asked

Is Noxen a replacement for Pareto Security?

No — they check different machines. Keep Pareto for your Mac's local posture; add Noxen for the remote Linux hosts Pareto can't reach.

Can Pareto scan my remote Linux servers?

No. Pareto's checks are macOS-only by construction and can't run over SSH against a Linux host. That remote-fleet case is precisely what Noxen is for.

Does Noxen install an agent on each server?

No. Noxen is agentless — it runs on your Mac and connects over your existing ~/.ssh/config, so there is nothing to deploy or maintain on the hosts themselves.

Compare Noxen to other tools

Pareto for your whole fleet

Three hosts free, forever, on macOS 26+. $79 one-time unlocks 25 hosts and scheduled nightly scans. Live Feed adds the daily signed CVE feed and webhooks for $19/mo. No subscription required to use the app itself, and your scan data never leaves your Mac.

See pricing See every check