Your patch cycle was designed for a world where exploitation took weeks. That world is gone. The median time from public disclosure to in-the-wild exploitation is now measured in days — and for internet-facing edge devices, sometimes hours. A process built around a monthly rhythm is, structurally, handing adversaries a head start you can no longer afford.

Most enterprise patch programs still run on that monthly rhythm: Patch Tuesday lands, packages get tested for a week or two, a change window opens, and roughly thirty days later the estate is mostly current. That cadence was defensible when the average vulnerability took thirty to sixty days to see real exploitation. It is not defensible now.

The math stopped working

Look at the last two years of mass-exploitation events — file transfer appliances, VPN concentrators, email gateways. In case after case, exploitation began within seventy-two hours of public disclosure, and in the worst cases the vulnerability was already being exploited as a zero-day before the vendor advisory shipped. If your fastest realistic path to production is thirty days, you are offering attackers a four-week window on your most exposed assets. The patch window did not shrink. It closed.

Stop treating the estate as one thing

The fix is not "patch everything faster." Nobody can, and trying burns the ops team out for no gain. The fix is recognizing that your estate contains tiers with wildly different risk clocks:

  • Tier 1 — internet-facing. VPNs, gateways, load balancers, anything with a login page reachable from the internet. These need an emergency lane: twenty-four to seventy-two hours from advisory to mitigation, pre-authorized, no change board meeting required.
  • Tier 2 — identity and management planes. Domain controllers, hypervisor management, privileged access management, backup infrastructure. Days, not weeks. These are where attackers pivot after initial access.
  • Tier 3 — everything else. The internal fleet. Monthly is still fine here. Genuinely fine — do not let the urgency of Tier 1 spill into panic-patching workstations.

Most organizations invert this. They patch workstations aggressively because the tooling makes it easy, while the VPN appliance waits for a quarterly maintenance window because rebooting it is scary. That is exactly backwards, and it is exactly the pattern the exploitation data punishes.

Triggers, not calendars

For Tier 1 and Tier 2, the patch trigger should not be a date — it should be a signal. Two signals do most of the work: an entry in the CISA Known Exploited Vulnerabilities catalog, and a high EPSS score on software you actually expose. Either one fires the emergency lane. Keeping the lane tied to real exploitation evidence keeps it rare enough that people take it seriously when it fires.

The emergency lane itself has to be pre-negotiated. The worst time to debate change management policy is during an active mass-exploitation event. Get the standing approval in writing: for KEV-listed vulnerabilities on Tier 1 assets, the ops team patches first and files the change record after. If your change board will not agree to that, show them the timeline of any recent edge-device campaign and ask which meeting they would have scheduled the approval into.

When you cannot patch, mitigate

Sometimes the patch is not out yet, breaks something, or needs downtime you cannot take immediately. The emergency lane should treat mitigation as a first-class outcome, not a failure:

  • Pull the management interface off the internet. A striking fraction of exploited devices never needed to be exposed at all.
  • Apply the vendor's interim mitigation — disable the vulnerable feature, restrict source addresses — and record it so it gets revisited when the real fix ships.
  • Isolate and elevate monitoring. If you cannot close the hole for forty-eight hours, watch the asset as though it is already compromised, because statistically it may be.

Measure time-to-mitigate, not patch compliance

The metric that matters is the gap between public disclosure and the moment the asset is no longer exploitable — by patch or by mitigation. Report that number for Tier 1, per event, to leadership. "Ninety-eight percent patch compliance" is a comfortable number that hides the two internet-facing boxes that stayed vulnerable for three weeks. One number per incident — hours exposed — tells the real story, and it is the number a regulator or an attorney will eventually reconstruct anyway.

Build the tiers. Wire the triggers. Pre-approve the lane. Then let the monthly cycle keep doing what it is still good for: everything that is not on fire.

The patch window is not coming back. The organizations that stay ahead are not the ones patching fastest across the board — they are the ones who decided, in advance, which small set of assets earns an emergency response, and built the plumbing to deliver it before the advisory drops.