diff --git a/nixos/modules/services/security/paretosecurity.nix b/nixos/modules/services/security/paretosecurity.nix
index 9ec196eee6a0..a1080ede8431 100644
--- a/nixos/modules/services/security/paretosecurity.nix
+++ b/nixos/modules/services/security/paretosecurity.nix
@@ -24,6 +24,17 @@
     # dependencies here. This creates the necessary symlinks in the proper locations.
     systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ];
 
+    # In NixOS, systemd services are configured with minimal PATH. However,
+    # paretosecurity helper looks for installed software to do its job, so
+    # it needs the full system PATH. For example, it runs `iptables` to see if
+    # firewall is configured. And it looks for various password managers to see
+    # if one is installed.
+    # The `paretosecurity-user` timer service that is configured lower has
+    # the same need.
+    systemd.services.paretosecurity.serviceConfig.Environment = [
+      "PATH=${config.system.path}/bin:${config.system.path}/sbin"
+    ];
+
     # Enable the tray icon and timer services if the trayIcon option is enabled
     systemd.user = lib.mkIf config.services.paretosecurity.trayIcon {
       services.paretosecurity-trayicon = {
@@ -31,6 +42,9 @@
       };
       services.paretosecurity-user = {
         wantedBy = [ "graphical-session.target" ];
+        serviceConfig.Environment = [
+          "PATH=${config.system.path}/bin:${config.system.path}/sbin"
+        ];
       };
       timers.paretosecurity-user = {
         wantedBy = [ "timers.target" ];
diff --git a/nixos/tests/paretosecurity.nix b/nixos/tests/paretosecurity.nix
index a2b9317c678f..bf9af17e2f5e 100644
--- a/nixos/tests/paretosecurity.nix
+++ b/nixos/tests/paretosecurity.nix
@@ -29,6 +29,8 @@
         package = patchedPareto;
       };
 
+      networking.firewall.enable = true;
+
     };
 
   nodes.dashboard =
@@ -64,6 +66,12 @@
       services.displayManager.autoLogin = {
         enable = true;
         user = "alice";
+
+      };
+
+      virtualisation.resolution = {
+        x = 640;
+        y = 480;
       };
 
       environment.systemPackages = [ pkgs.xdotool ];
@@ -94,7 +102,6 @@
       + " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb"  # Disk encryption
       + " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e"  # Pareto Security is up to date
       + " --skip f962c423-fdf5-428a-a57a-827abc9b253e"  # Password manager installed
-      + " --skip 2e46c89a-5461-4865-a92e-3b799c12034a"  # Firewall is enabled
       + "'"
     )
 
@@ -117,7 +124,7 @@
     ]:
         status, out = xfce.systemctl("is-enabled " + unit, "alice")
         assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}"
-    xfce.succeed("xdotool mousemove 850 10")
+    xfce.succeed("xdotool mousemove 460 10")
     xfce.wait_for_text("Pareto Security")
     xfce.succeed("xdotool click 1")
     xfce.wait_for_text("Run Checks")
diff --git a/pkgs/by-name/pa/paretosecurity/package.nix b/pkgs/by-name/pa/paretosecurity/package.nix
index e6b5232d75cb..25728d4e32a3 100644
--- a/pkgs/by-name/pa/paretosecurity/package.nix
+++ b/pkgs/by-name/pa/paretosecurity/package.nix
@@ -9,16 +9,16 @@
 
 buildGoModule rec {
   pname = "paretosecurity";
-  version = "0.0.96";
+  version = "0.1.3";
 
   src = fetchFromGitHub {
     owner = "ParetoSecurity";
     repo = "agent";
     rev = version;
-    hash = "sha256-SyeIGSDvrnOvyOJ0zC8CulpaMa+iZeRaMTJUSydz2tw=";
+    hash = "sha256-ovyfHqLCf5U3UR1HfoA+UQhqLZ6IaILcpqptPRQsb60=";
   };
 
-  vendorHash = "sha256-O/OF3Y6HiiikMxf657k9eIM7UfkicIImAUxVVf/TgR8=";
+  vendorHash = "sha256-7mKAFkKGpBOjXc3J/sfF3k3pJF53tFybXZgbfJInuSY=";
   proxyVendor = true;
 
   ldflags = [