60%
Of data breaches exploit a vulnerability for which a patch was available (Ponemon Institute)
12 days
Median time from vulnerability disclosure to active exploitation in the wild (Rapid7 2025)
CIS #7
Rank of continuous vulnerability management in the CIS Critical Security Controls: the 7th most important control
85%
Of critical CVEs patched within 30 days in mature patch management programs versus 43% in ad-hoc programs

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Most organizations patch reactively: a critical vulnerability is disclosed, leadership panics, IT scrambles to find affected systems, and patches get deployed inconsistently under time pressure. This is expensive, stressful, and ineffective.

A patch management program replaces panic with process. It answers four questions in advance: What systems do we have? How fast do different vulnerabilities need to be patched? How do we deploy patches without breaking production? And how do we know if we are succeeding?

Component 1: Asset Inventory

You cannot patch systems you do not know exist. The asset inventory is the foundation of every other patch management component: and it is almost always less complete than IT believes.

What the inventory needs to track:

  • System hostname and IP address
  • Operating system version (exact build number, not just 'Windows 10')
  • Installed software and versions (critical for third-party patching)
  • System owner and business function
  • Production vs non-production classification
  • Network location (internet-facing, internal, DMZ, OT)
  • Patch management tool enrollment status

Building the inventory:

# Windows: Export all enrolled systems from Windows Update for Business / WSUS
Get-WsusComputer | Select-Object FullDomainName, OSDescription, LastSyncTime |
    Export-Csv -Path C:\inventory\wsus_systems.csv

For cloud infrastructure:

# AWS: List all EC2 instances and their patch state
aws ec2 describe-instances --query \
  'Reservations[*].Instances[*].{Name:Tags[?Key==`Name`]|[0].Value, \
  InstanceId:InstanceId, State:State.Name, OS:Platform, PrivateIP:PrivateIpAddress}' \
  --output table

# AWS Systems Manager Patch Manager: compliance report
aws ssm describe-instance-patch-states --output table

Gap identification: After building the inventory from managed sources, run a network scan against your IP space to find systems not in the inventory (common causes: shadow IT servers, legacy systems removed from management tools, cloud instances not enrolled in SSM):

nmap -sn 10.0.0.0/8 -oG - | grep 'Up$' | awk '{print $2}' > live_hosts.txt
# Compare live_hosts.txt against your known inventory

Any IP with a live host that is not in your inventory is an unmanaged system: either enroll it in patch management or decommission it.

Component 2: Risk-Based Patching SLA

A patching SLA defines how fast each vulnerability severity class must be remediated. Without an SLA, every patch is theoretically urgent: so none are treated as urgent in practice.

Recommended patching SLA tiers:

TierCriteriaSLA Target
EmergencyCVSS 9.0+ AND actively exploited (CISA KEV listed)24-48 hours for internet-facing, 7 days for internal
CriticalCVSS 9.0+ OR CVSS 7.0-8.9 with known PoC exploit7 days for internet-facing, 14 days for internal
HighCVSS 7.0-8.9 without public exploit14-30 days
MediumCVSS 4.0-6.960-90 days
LowCVSS < 4.0Next scheduled maintenance window

Using CISA KEV as an emergency trigger:

CISA's Known Exploited Vulnerabilities catalog lists CVEs with evidence of active exploitation. Every CVE added to KEV should trigger an emergency review regardless of CVSS score: some KEV entries have CVSS scores below 7.0 but are being actively exploited at scale.

# Download the latest CISA KEV catalog
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
  -o /tmp/kev.json

# Count new additions in the last 7 days
cat /tmp/kev.json | python3 -c "
import json,sys
from datetime import datetime, timedelta
data = json.load(sys.stdin)
cutoff = (datetime.now() - timedelta(days=7)).strftime('%Y-%m-%d')
new = [v for v in data['vulnerabilities'] if v['dateAdded'] >= cutoff]
print(f'{len(new)} new KEV entries in the last 7 days')
for v in new:
    print(f"{v['cveID']}: {v['vulnerabilityName']}")
"

Documenting exceptions: When a patch cannot be deployed within the SLA (incompatible application, no maintenance window, vendor has not released a patch), document:

  • The CVE and affected system
  • The reason the SLA cannot be met
  • The compensating control in place (WAF virtual patch, network isolation, monitoring)
  • The expected remediation date
  • The risk owner who approved the exception

Exceptions without documentation become permanent. Every exception needs an expiry date.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Component 3: Deployment Process

Patches that break production are a patch management program killer: one incident that requires a 3 AM rollback creates organizational resistance that takes months to overcome. A testing process prevents this.

The deployment pipeline for standard patches:

Stage 1: Patch validation (lab/non-production) Deploy the patch to a test environment that mirrors production as closely as possible. Run application smoke tests: key user journeys, critical business processes. Hold for 24-72 hours after deployment; most compatibility problems appear within the first day of use.

Stage 2: Pilot deployment (5-10% of production systems) Deploy to a representative sample of production systems: not the most critical, but a cross-section that reflects the diversity of your environment (different OS versions, different software stacks). Hold for 48-72 hours and monitor for errors, crashes, and application failures.

Stage 3: Broad deployment (remaining production) If Stage 2 completes without incident, deploy to all remaining systems within the SLA window.

For Emergency patches: The testing process is compressed but not eliminated. Emergency patches should still go through a 4-hour test environment validation and a 2-hour pilot before full deployment. Skipping testing entirely for emergency patches is the most common cause of outages.

Tooling for Windows environments:

# Microsoft Endpoint Configuration Manager (MECM/SCCM): phased deployment
# Create deployment rings:
# Ring 0: Test servers (immediate after Patch Tuesday)
# Ring 1: Non-critical workstations (T+7 days)
# Ring 2: Production servers (T+14 days)
# Ring 3: Critical production systems (T+21 days after validation)

# Windows Update for Business via Intune: deferral policy
# Quality updates: 0 days for Ring 0, 7 for Ring 1, 14 for Ring 2

Tooling for Linux endpoints:

# Ansible playbook for staged patching
# hosts file separates test, pilot, and production groups
ansible-playbook patch.yml -l test_servers --check  # Dry run first
ansible-playbook patch.yml -l test_servers
# Wait 48 hours, validate, then:
ansible-playbook patch.yml -l pilot_servers
# Wait 48 hours, validate, then:
ansible-playbook patch.yml -l production_servers

Component 4: Metrics and Reporting

A patch management program without metrics is not a program: it is intentions. Track four metrics, report them monthly.

Metric 1: Mean Time to Patch (MTTP) by severity The average number of days from vulnerability disclosure to patch deployment, segmented by severity tier. Compare against your SLA targets. If MTTP for Critical patches is 21 days and your SLA is 14 days, you are out of compliance.

Metric 2: Patch compliance rate by system tier The percentage of systems patched within SLA for each vulnerability severity. Target: 95%+ for Critical, 90%+ for High, 85%+ for Medium.

-- Example query for WSUS/MECM database
SELECT 
    CASE 
        WHEN CVSSScore >= 9.0 THEN 'Critical'
        WHEN CVSSScore >= 7.0 THEN 'High'
        WHEN CVSSScore >= 4.0 THEN 'Medium'
        ELSE 'Low'
    END AS Severity,
    COUNT(*) AS TotalSystems,
    SUM(CASE WHEN DaysToApply <= SLADays THEN 1 ELSE 0 END) AS WithinSLA,
    ROUND(100.0 * SUM(CASE WHEN DaysToApply <= SLADays THEN 1 ELSE 0 END) / COUNT(*), 1) AS ComplianceRate
FROM PatchDeployments
WHERE PatchDate >= DATEADD(month, -1, GETDATE())
GROUP BY Severity

Metric 3: Unmanaged system count Systems in the network scan that are not enrolled in patch management. Target: zero. Any non-zero number requires an explanation: what is the system, who owns it, and what is the plan to enroll or decommission it.

Metric 4: Open exceptions count and age The number of active exceptions (systems with patches outstanding beyond SLA), their age, and whether compensating controls are documented. Exceptions older than 90 days without a remediation plan represent accumulated technical debt that needs escalation.

The bottom line

A patch management program has four components: asset inventory (scan your network quarterly to find unmanaged systems), risk-based SLA (Critical+KEV in 24-48 hours for internet-facing, High in 14-30 days, Medium in 60-90 days), staged deployment pipeline (test environment, pilot group, then broad deployment: never skip testing for emergency patches), and four monthly metrics (MTTP by severity, compliance rate, unmanaged system count, open exception count). Start with the inventory: you cannot patch what you do not know exists.

Frequently asked questions

What is a patch management SLA?

A patch management SLA defines how quickly each vulnerability severity class must be remediated. A typical framework: Critical vulnerabilities with active exploitation (CISA KEV-listed) within 24-48 hours for internet-facing systems; Critical and High CVEs within 7-14 days; Medium within 60-90 days. The SLA must be documented, tracked with metrics, and have a formal exception process for systems that cannot meet the deadline.

What tools do I need for patch management?

For Windows environments: Microsoft Endpoint Configuration Manager (MECM/SCCM) or Windows Update for Business via Intune for deployment, plus a vulnerability scanner (Tenable Nessus, Qualys, Rapid7) for identification. For Linux: Ansible or Red Hat Satellite for deployment. For cloud: AWS Systems Manager Patch Manager (AWS), Azure Update Manager (Azure). The scanner identifies what needs patching; the deployment tool applies it.

What are typical patch management SLA targets?

Industry standard SLAs based on CVSS severity: Critical (CVSS 9.0-10.0) — 24-72 hours for internet-facing systems, 7 days for internal; High (7.0-8.9) — 7 days internet-facing, 30 days internal; Medium (4.0-6.9) — 30 days; Low (0.1-3.9) — next scheduled maintenance window. CISA KEV catalog entries override these SLAs: KEV items require patching by the CISA-specified deadline regardless of CVSS score. For internet-facing systems, treat any actively exploited CVE as Critical regardless of its formal score.

How do I handle patch management for third-party applications?

Third-party application patching (Chrome, Acrobat, Java, Zoom, etc.) is often the biggest gap in patch management programs. Use a third-party patching tool that integrates with your MDM: Ivanti Patch for SCCM, ManageEngine Patch Manager Plus, or the Chocolatey package manager for Windows. For Mac environments, Mosyle, Jamf Pro, or Kandji support third-party app patching. Prioritize browsers and PDF readers first (highest attack surface), followed by productivity suites and collaboration tools. Enable auto-update where feasible and use your vulnerability scanner to identify unpatched third-party software across the fleet.

How do I measure patch management program effectiveness?

Three metrics: Mean Time to Patch (MTTP) by severity — track the average time from CVE publication to patch deployment for Critical, High, and Medium vulnerabilities; Patch Coverage — percentage of in-scope assets patched within SLA for each severity tier; and Vulnerability Recurrence — count of findings that reappear after being marked remediated (indicates patch verification gaps). Report these monthly to security leadership. A mature patch program targets MTTP under 72 hours for Critical CVEs and over 95% patch coverage within SLA for all severity tiers.

How do you manage patching for cloud infrastructure and containerized environments?

Cloud and container patching requires a different model than traditional agent-based patching because infrastructure is often ephemeral and immutable. For EC2 instances and Azure VMs, use the cloud-native patching tools: AWS Systems Manager Patch Manager and Azure Update Manager both provide inventory, compliance reporting, and scheduled deployment without a separate agent. For containerized workloads, patching means rebuilding container images with updated base layers rather than patching running containers. Integrate image scanning into your CI/CD pipeline using tools like Trivy, Snyk Container, or AWS ECR image scanning: every image build should fail if it contains Critical or High CVEs with available patches. Set a policy that containers cannot be deployed with unpatched Critical CVEs in their base image. For Kubernetes, use image update automation tools like Flux's image update automation or Renovate to detect when a base image has been updated with security patches and automatically open pull requests. For serverless functions, enable automatic runtime updates where the cloud provider manages the runtime layer (AWS Lambda managed runtimes) and alert when a function uses a deprecated runtime version. Track container image age as a patching metric: images older than 90 days in production likely contain unpatched vulnerabilities even if they passed initial scan.

Sources & references

  1. CISA: Known Exploited Vulnerabilities Catalog
  2. NIST SP 800-40: Guide to Enterprise Patch Management Planning
  3. CIS Control 7: Continuous Vulnerability Management

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.