Compensating Controls for Systems You Cannot Patch

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Forty-five percent of enterprise vulnerabilities remain unresolved after 12 months. The standard industry response is to call this a staffing or prioritization failure. The practitioners living inside it know the real constraint: 32% of critical CVEs are still open at 180 days not because teams are ignoring them but because the affected systems cannot be taken offline. Legacy medical devices with FDA clearance requirements, OT systems with vendor support dependencies, production manufacturing equipment that runs continuous processes, and ERP platforms that require months of regression testing: these are not failure cases, they are the normal operating reality of most enterprises. This guide gives you a structured framework for reducing exploitation risk on systems you cannot patch, organized by the attack vector class of the CVE, with specific compensating controls, detection rules, and the documentation structure that satisfies auditors when you formally document a risk acceptance.
Why Standard Patch SLAs Break Down in Real Environments
The gap between a 3-day critical patch SLA written in a policy document and the 67-day median actual remediation time documented in the field is not primarily a people problem. It reflects structural constraints that SLA authors typically do not account for. Vendor support dependencies are the most common: many OT and medical device vendors prohibit unauthorized patching and void support contracts if the OS is modified outside their release process. Regression testing requirements for regulated systems can legitimately require 60 to 90 days of validation before a patch can be applied to a production ERP or financial clearing system. Continuous availability requirements in manufacturing, utilities, and healthcare create windows where the system cannot be taken offline for any patch maintenance. The Horizon3 2025 Attack Intelligence Report documents that the average time-to-exploit after CVE disclosure has dropped to 5 days: meaning that by the time most regulated organizations complete their patch approval process, the CVE has already been actively exploited in the wild. The answer is not to abandon patch SLAs but to have a structured compensating control framework ready to deploy the moment a patch is confirmed infeasible within the SLA window.
The 3-Tier Attack Vector Framework
Compensating controls are not one-size-fits-all. The right control depends on how an attacker would reach and exploit the vulnerable system. CVSS v3.1 encodes this in the Attack Vector and Authentication metrics, and organizing your compensating controls around these dimensions ensures you are blocking the actual exploitation path rather than checking a compliance box. The three tiers below cover the vast majority of enterprise CVEs on systems with patching constraints.
Tier 1: Network-reachable, unauthenticated
The highest-urgency tier. Examples include unauthenticated RCE in web servers, VPN appliances, and network appliances. Exploitation requires only network access, no credentials. Primary compensating control is immediate network isolation or access restriction. Secondary control is detection rules on exploitation patterns.
Tier 2: Network-reachable, authenticated
Requires valid credentials to exploit, which meaningfully raises the attacker's cost. Examples include authenticated privilege escalation in application servers and authenticated RCE in database platforms. Primary compensating controls are authentication hardening and session monitoring. Secondary control is network restriction to authorized source IPs only.
Tier 3: Local access only
Requires physical or interactive session access. Examples include local privilege escalation vulnerabilities in OS components and local file permission bypasses. Primary compensating control is endpoint detection coverage and privileged access management. Risk acceptance is most defensible for this tier when remote attack vectors are fully blocked.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Tier 1 Controls: Network-Reachable Unauthenticated CVEs
For Tier 1 CVEs, the compensating control must reduce network reachability to the absolute minimum. The goal is to eliminate or severely constrain the attack surface without taking the system offline. VLAN isolation places the vulnerable system on a dedicated network segment with firewall-enforced ingress and egress rules: only authorized management hosts and application dependencies can reach the system, and all other traffic is dropped. Perimeter firewall ACLs restrict access to specific source IP ranges if VLAN isolation is not immediately feasible. Host-based firewall rules provide a third layer of enforcement if network controls cannot be applied in time. Beyond isolation, deploy an IDS/IPS signature for the specific exploitation pattern: most major vulnerability disclosures are followed within 24 to 48 hours by Snort and Suricata rule releases that detect active exploitation attempts. Log every connection attempt to the vulnerable port from any source outside the authorized access list. This connection logging is the evidence that compensating controls were active and functioning during the period the system remained unpatched.
VLAN isolation
Segment the vulnerable system into a dedicated VLAN with explicit allow rules for required dependencies only. Document the allowed sources and the firewall rule change ticket number in the risk acceptance record.
Perimeter and internal firewall ACLs
Block all access to the vulnerable service port from the internet and from internal network segments that do not require access. Use specific source IP allow lists rather than broad subnet ranges.
IDS/IPS exploitation signature
Deploy a rule targeting the specific exploitation pattern for this CVE. For critical CVEs, check Snort and Suricata community rule repositories within 24 hours of disclosure for available signatures.
Connection attempt logging
Enable logging for all connection attempts to the vulnerable port from unauthorized sources. Forward logs to SIEM with an alert rule for any match. This logging is your auditor evidence that the compensating control was monitored, not just deployed.
Tier 2 Controls: Network-Reachable Authenticated CVEs
Authenticated CVEs give defenders a meaningful intervention point that does not exist in Tier 1: the authentication layer. Strengthening authentication does not close the underlying vulnerability but it raises the cost of exploitation from network-accessible to credential-required-plus-network-accessible. Multi-factor authentication enforcement on the vulnerable service is the highest-impact single control for this tier: it blocks the bulk of opportunistic credential-based exploitation while requiring no changes to the vulnerable software itself. Privileged access workstation (PAW) requirements restrict which endpoints can authenticate to the vulnerable system, reducing the attack surface from any endpoint on the network to a small set of hardened management stations. Service account audit and rotation addresses the common case where the vulnerable service runs under an overprivileged account whose credentials are reused across multiple systems. In parallel, deploy behavioral detection rules in your SIEM that alert on authentication patterns consistent with exploitation: off-hours logins, authentication from new source IPs, or rapid sequential authentication attempts. The NIST SP 800-53 AU-2 and AC-17 control families provide a compliance mapping for these monitoring requirements.
Documenting the Risk Acceptance: What Satisfies Auditors
A compensating control without documentation is indistinguishable from an ignored vulnerability in an audit. The documentation structure matters as much as the control itself. A risk acceptance record that satisfies PCI DSS, SOC 2, and most regulatory frameworks requires seven elements: the CVE identifier and CVSS score, the affected system and business justification for why patching within SLA is infeasible, the compensating controls deployed with specific implementation details, the residual risk assessment (what attack scenarios remain possible despite the controls), the monitoring evidence confirming the controls are active, the approval authority (typically CISO or risk committee), and the review date when the risk acceptance will be re-evaluated. The review date is the element most commonly omitted: auditors increasingly look for evidence that risk acceptances have expiration dates and are not perpetual deferrals. Set review dates at 90 days for critical CVEs on the CISA KEV list and 180 days for high-severity CVEs with deployed compensating controls. At each review, confirm the controls are still functioning, confirm the patch remains infeasible, and reaffirm or escalate the risk acceptance.
CVE identifier and severity context
Include the CVE number, CVSS score, attack vector class, and whether the CVE appears on the CISA KEV list. Auditors need to understand the severity of what is being accepted.
Business justification for non-patching
State the specific reason patching is infeasible: vendor prohibition, change freeze window, regression testing requirement, or continuous availability constraint. Vague justifications like 'operational constraints' do not hold up to auditor scrutiny.
Compensating controls with implementation evidence
List each control with a reference to the change ticket or firewall rule that implements it. Include a screenshot or log excerpt confirming the control is active. This is the most important audit artifact.
Residual risk statement
Describe what attack scenario remains possible if an attacker has the capability to circumvent the compensating controls. This demonstrates that the security team understands the limits of the compensating approach.
Review date and approval authority
Every risk acceptance must have an expiration date and a named approver at the appropriate authority level. Risk acceptances without expiration dates are treated as indefinite deferrals by auditors.
When Compensating Controls Are Not Sufficient
Compensating controls are a risk reduction strategy, not a risk elimination strategy. There are three conditions under which a compensating control framework is not adequate and the organization must escalate to a harder decision. First, if the CVE is on the CISA KEV list and the affected system is internet-facing with no feasible network isolation option, the residual risk is likely unacceptable for most organizational risk tolerances: the system either needs to be isolated from the internet or decommissioned. Second, if the vulnerable system holds data regulated under HIPAA, PCI DSS, or state privacy laws and the compensating controls cannot demonstrate effective containment of the exploitation path to regulated data, legal counsel needs to be involved in the risk acceptance decision. Third, if the same system has accumulated multiple unpatched critical CVEs over time, the aggregate exploitation surface may exceed what compensating controls can meaningfully address: a formal decommission and replacement plan with a timeline is a more honest response than layering controls on a system that has become structurally insecure. Compensating controls work best as a time-bounded bridge to eventual patching, not as a permanent operating posture.
The bottom line
Forty-five percent of enterprise vulnerabilities unresolved after 12 months is not a number that reflects negligence at scale. It reflects the structural reality that many systems cannot be patched on a security team's preferred timeline. The 3-tier attack vector framework converts that structural reality into a structured set of decisions: identify the exploitation path, deploy controls that block or degrade that path, detect any exploitation attempts that reach the system, and document the risk acceptance with enough specificity that an auditor can see the decision logic. The goal is to make unpatchable systems defensible, not to pretend they are patched.
Frequently asked questions
What is a compensating control in vulnerability management?
A compensating control is a security measure deployed to reduce the risk associated with a vulnerability when the primary remediation: patching: is not feasible within the required timeframe. Compensating controls do not eliminate the underlying vulnerability; they reduce the probability or impact of exploitation by blocking the attack path, adding authentication requirements, increasing detection coverage, or restricting access to the vulnerable system. Under frameworks like PCI DSS, compensating controls are formally recognized as an acceptable alternative to standard requirements when a business justification exists, provided the controls are documented, monitored, and reviewed on a defined schedule. The key distinction from simply accepting a vulnerability is that compensating controls must demonstrably reduce risk, not merely acknowledge it.
Which CVEs require immediate compensating controls regardless of patching timeline?
Any CVE on the CISA Known Exploited Vulnerabilities catalog requires immediate compensating controls if patching within 24 to 48 hours is infeasible, because KEV inclusion means active exploitation has been confirmed in the wild. Beyond the KEV list, CVEs with an EPSS score above 0.7 should be treated with the same urgency: the FIRST EPSS model's 0.7 threshold represents a high probability of observed exploitation within 30 days. CVEs with a CVSS attack vector of Network, no authentication required, and a CVSS score above 9.0 should also trigger immediate compensating control deployment even if they are not yet KEV-listed, because these characteristics correlate strongly with rapid weaponization. The 12% of CVEs weaponized within 24 hours of disclosure are disproportionately concentrated in this category.
How do I handle a vendor appliance where the vendor prohibits patching the underlying OS?
Vendor OS patching restrictions are common in OT, medical device, and network appliance categories and represent one of the most challenging patching constraint scenarios. In these cases, the compensating control framework must focus entirely on network controls and monitoring because you cannot modify the vulnerable software layer. The specific controls are: restrict network access to the appliance to the minimum required source IPs using firewall ACLs and VLAN isolation; deploy IDS/IPS signatures for the known exploitation pattern; enable maximum logging on the appliance and forward logs to a SIEM you control; and formally request a vendor patch or configuration workaround in writing so you have documentation of the request and the vendor's response. The vendor's written refusal or timeline is itself part of the risk acceptance documentation. If the vendor cannot or will not provide a patch for an actively exploited vulnerability, escalate to your legal team to assess whether continued use of the appliance creates regulatory or contractual exposure.
How long can a compensating control substitute for a patch?
Compensating controls should be treated as time-bounded bridges to patching, not permanent operating postures. The maximum defensible duration depends on the CVE severity and exploitation status. For KEV-listed CVEs, the risk acceptance should be reviewed every 90 days with documented re-evaluation. For high-severity CVEs with deployed network controls, 180-day review cycles are generally defensible. Beyond these windows, auditors and regulators increasingly scrutinize risk acceptances that have been renewed multiple times without a patching commitment. The practical limit is also organizational: as compensating controls accumulate on a system over multiple CVE cycles, the aggregate complexity of the control environment becomes difficult to maintain correctly, and gaps emerge. A system with five sets of compensating controls in place simultaneously may have more effective exposure than a system with one well-implemented control addressing the patched vulnerability.
What NIST 800-53 controls map to compensating control documentation?
Several NIST SP 800-53 control families directly support compensating control documentation and practice. RA-3 (Risk Assessment) requires documenting residual risk and the controls deployed to address it. CA-7 (Continuous Monitoring) requires ongoing monitoring of control effectiveness, which is the operational requirement behind logging and alert rules on vulnerable systems. SA-22 (Unsupported System Components) explicitly addresses the scenario of components that can no longer receive security patches and requires either patching, replacing, or formally documenting the justification for continued use with compensating controls. SI-2 (Flaw Remediation) establishes the patch management baseline and includes provisions for documenting when remediation timelines must be extended. Referencing the specific NIST control family in your risk acceptance documentation strengthens the audit trail, particularly for federal contractors and healthcare organizations operating under FISMA or HIPAA security rules.
What is the difference between a risk acceptance and a plan of action and milestones?
A risk acceptance is a formal decision to operate with a known residual risk after compensating controls have been deployed, typically approved by the CISO or risk committee. It documents the current state: the vulnerability exists, controls are in place, and the organization accepts the remaining risk for a defined period. A plan of action and milestones (POA&M) is a commitment document that records what steps will be taken to close the finding entirely, with specific owners and target completion dates. The two documents are complementary: you file a risk acceptance to cover the period before remediation is complete, and a POA&M to document the remediation path. Federal agencies and their contractors are required to maintain POA&Ms under FISMA. In commercial environments, auditors for SOC 2, PCI DSS, and ISO 27001 increasingly expect both documents for critical findings that are not remediated within standard SLA windows.
Can VLAN isolation alone satisfy a PCI DSS requirement for an unpatched system?
VLAN isolation can be a component of a PCI DSS compensating control, but it is rarely sufficient on its own. PCI DSS Appendix B establishes that compensating controls must 'meet the intent of the original requirement' and 'provide a similar level of defense as the original requirement.' For a critical unpatched vulnerability, meeting that standard typically requires a combination of controls: network isolation reducing access to the minimum required connections, monitoring detecting any exploitation attempts, and an authentication layer if the CVE permits authentication-based mitigation. A single network segmentation control without monitoring or authentication hardening is generally not sufficient to satisfy a PCI DSS compensating control worksheet for a critical CVE. Work with your Qualified Security Assessor early in the process to agree on the control package before the audit, not after.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
