Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
English
Entry № 901

Patch Management

Reviewed byCybersecurity entrepreneur & security researcher

What is Patch Management?

Patch ManagementThe end-to-end process of identifying, testing, deploying, and verifying software updates that fix vulnerabilities or bugs.

Patch management covers the full lifecycle from vulnerability disclosure to verified remediation across operating systems, firmware, applications, containers, and dependencies. Mature programs prioritize patches using exploitability data (CVSS, EPSS, KEV), business criticality, and compensating controls, and ship them through staged rings to limit operational risk. Automation, change windows, rollback plans, and SLAs by severity are essential.

The window that kills you is between patch and deploy

A patch existing does not protect anyone — installing it does, and the gap between the two is where breaches happen.

  • Equifax (2017): Apache Struts flaw CVE-2017-5638 was patched on 7 March 2017; attackers began exploiting Equifax's unpatched dispute portal around 10 March and exfiltrated data on ~147 million people until late July, because the fix was never applied.
  • WannaCry (May 2017): Microsoft shipped MS17-010 on 14 March 2017, fixing the SMBv1 flaw (CVE-2017-0144) that the leaked EternalBlue exploit abused. Two months later, organisations that had not deployed it — including parts of the UK's NHS — were crippled by ransomware that spread wormlike across unpatched hosts.
  • Log4Shell (CVE-2021-44228, 2021): a trivially exploitable RCE in a ubiquitous logging library showed why a live software bill of materials (SBOM) is now part of patch management.

How mature programs prioritise

Because no team can patch everything at once, modern programs rank work by likelihood of exploitation, not just CVSS severity. CISA's Known Exploited Vulnerabilities (KEV) catalog (launched November 2021) and FIRST's EPSS probability scores let teams fast-track the small set of flaws under active attack, while routine fixes flow through staged rings with rollback plans.

flowchart LR
  A[Vulnerability disclosed / CVE] --> B[Asset inventory + SBOM:<br/>are we affected?]
  B --> C[Prioritise: CVSS + EPSS + KEV<br/>+ business criticality]
  C --> D[Test in pilot ring]
  D --> E[Staged rollout:<br/>broad then production]
  E --> F[Verify via re-scan]
  F -->|Failed / regression| G[Rollback + compensating control]
  G --> D

Examples

  1. 01

    An emergency out-of-band patch cycle for a CISA KEV-listed remote code execution flaw.

  2. 02

    Phased monthly Windows patch deployment using rings: pilot, broad, then production.

Frequently asked questions

What is Patch Management?

The end-to-end process of identifying, testing, deploying, and verifying software updates that fix vulnerabilities or bugs. It belongs to the Defense & Operations category of cybersecurity.

What does Patch Management mean?

The end-to-end process of identifying, testing, deploying, and verifying software updates that fix vulnerabilities or bugs.

How do you defend against Patch Management?

Defences for Patch Management typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Patch Management?

Common alternative names include: Update management.

Related terms

See also