Back to Glossary

Patch Management

What is Patch Management?

Patch management is the systematic process of identifying applicable software updates and security patches, testing them for compatibility, prioritizing them by risk, and deploying them to all affected systems within defined timeframes. It is one of the most fundamental and highest-impact security practices available: the vast majority of successful cyberattacks exploit known vulnerabilities for which patches have been available — sometimes for years. CISA's Known Exploited Vulnerabilities (KEV) catalog documents hundreds of vulnerabilities actively exploited in the wild, most of which have available patches. Effective patch management directly reduces the attack surface available to attackers without requiring any additional defensive tooling.

Description

Patch management spans multiple technology categories that each present different operational challenges. Operating system patching is the most mature domain, with established update mechanisms (Windows Update, RHEL Satellite, Ansible) and well-understood testing workflows. Application patching — covering web servers, databases, middleware, and third-party software — is more complex because patch impact testing requires application-specific validation. Container security patching requires updating base images in CI/CD pipelines rather than patching running instances. Network device and appliance patching often requires maintenance windows that disrupt operations, creating deferred patching backlogs. Firmware security patching for IoT and OT devices may require physical access or device replacement. Effective patch management requires: continuous vulnerability scanning to identify missing patches; vulnerability prioritization using CVSS, EPSS, and CISA KEV to focus effort on critical and exploited vulnerabilities; documented patch deployment SLAs by severity; testing environments for patch validation before production deployment; exception management for systems that cannot be patched without business disruption; and compensating controls for unpatched systems that remain exposed.

Usage and Examples

The 2017 WannaCry ransomware outbreak exploited EternalBlue, a vulnerability in Windows SMB for which Microsoft had released a patch (MS17-010) two months prior. Organizations with effective patch management — including the NHS, FedEx, and Telefonica — suffered significant disruptions while those that had patched were unaffected. The pattern repeats consistently: Log4Shell (2021) affected organizations running unpatched Log4j for months after patches were available; ProxyLogon (2021) affected organizations that had not applied Exchange Server patches; and MOVEit Transfer (2023) exploitation targeted organizations using unpatched versions of the file transfer software. Each incident demonstrates the compounding cost of delayed patching compared to the operational cost of timely patch deployment. Log4j update guidance from Evolve Security provided actionable patching guidance during the Log4Shell crisis.

How Does This Relate to Penetration Testing?

Unpatched vulnerabilities are consistently among the highest-severity findings in penetration testing engagements. External network assessments regularly identify internet-facing systems running software with known exploits available in public exploit databases. Internal network assessments find unpatched internal servers, missing Windows security updates on domain-joined endpoints, and legacy systems running end-of-life software with no available patches. Post-engagement, vulnerability findings mapped to specific CVEs with available patches provide a concrete, prioritized patching roadmap. The continuous penetration testing model addresses the gap between annual assessments: vulnerabilities introduced between tests accumulate until the next engagement unless continuous scanning validates patch status between assessments. Evolve Security's network penetration testing engagements identify unpatched vulnerabilities on internet-facing and internal systems — providing a prioritized remediation roadmap aligned to real-world exploitability.

Access control

Advanced Persistent Threat

Adversarial Machine Learning

Adversary-in-the-Middle (AiTM) Attack

Agentic AI Security

AI-Powered Social Engineering

AI Red Teaming

AI Security

API Security

Application Penetration Testing

Assumed Breach

Attack Surface

Attack Surface Management (ASM)

Botnet

Broken Access Control

Business Email Compromise (BEC)

BYOD

CIS Controls

CIS RAM

Cloud computing

Cloud Security

Cloud Security Posture Management (CSPM)

COBIT

Command and Control (C2)

Container Escape

Continuous Threat Exposure Management (CTEM)

Credential Stuffing

Cryptocurrency

Cryptojacking

Cyber Attack

Cyber Maturity Model Certification (CMMC)

Cyber Resilience

Cyber Threat Intelligence

Darknet

Data Breach

Data Loss Prevention

Data Poisoning

DDoS Attack

Declaration of Conformity

Deepfake

Detection Engineering

DMZ

Encryption

Endpoint

Endpoint Detection and Response

Ethical Hacking Tools

Exposure Management

Firewall

Firmware Security

FISMA

Gap analysis

GDPR

Hacker

HIPAA

Hypervisor (VMM)

Identification

Identity Theft

Identity Threat Detection and Response (ITDR)

Incident Response

Infrastructure-as-a-Service (IaaS)

Initial Access Brokers

Insider Threat

Internal Penetration Testing

Intrusion detection system (IDS)

Intrusion Prevention System (IPS)

ISO 27001

Keyboard logger

Lateral Movement

LLM Jailbreak

Macro virus

Malicious Apps

Malware

Managed Detection and Response (MDR)

Managed Detection and Response (MDR)

MCP Security

Memory Safety Vulnerabilities

MTTD and MTTR

Multi-Factor Authentication (MFA)

Network Detection and Response (NDR)

Network Firewall

Network Penetration Testing

Network Security

Network Security Assessment

NIS2 and DORA Compliance

NIST Cybersecurity Framework

Non-Human Identity (NHI) Security

Offensive Security

Operational Technology (OT) Security

Password

Password Cracking

Patch Management

PCI DSS

Penetration Testing

Phishing

Phishing-Resistant Authentication

Platform-as-a-Service (PaaS)

Post-Quantum Cryptography (PQC)

Privilege Escalation

Prompt Injection

Proxy server

Previous term
No previous terms!
Next term
No next terms!

Start Playing Offense to Play Better Defense

Copyright © 2026 Evolve Security. Evolve Security is trademarked in the United States.
312-957-5682
123 N. Waker Dr., Suite: 2125 Chicago, IL 60606
info@evolvesecurity.com
Connect
Contact UsRequest a demo
Services
Services OverviewAI Penetration TestingApplication Penetration TestingCloud Penetration TestingNetwork Penetration TestingEmbedded SystemsRed TeamAdvisory
Platform
Darwin Attack OverviewRisk ScoringAsset & Threat IntelligenceHuman-In-The-LoopDashboards & ReportingPlatform Integrations
Resources
BlogsEventsVideosPodcasts
Company
AboutCareersEvolve AcademyPartner Program
Privacy PolicyTerms of ServiceVulnerability Disclosure PolicyReport Issue
AICPA SOC logo with text 'SOC for Service Organizations | Service Organizations' and website aicpa.org/soc4so.