Glossary/Detection Engineering/Patch Management

What Is Patch Management? Process and Best Practices

CVE-2017-0144, the SMB flaw behind EternalBlue, had a patch out on March 14, 2017. WannaCry hit on May 12, 2017, almost two months later, and still tore through hundreds of thousands of machines because the update was sitting in a queue nobody had cleared. The vulnerability was not unknown and the fix was not missing. The patch existed and had not been deployed. That gap, between a fix being available and a fix being live on every affected system, is the entire problem patch management exists to solve.

Patch management is the process of identifying, acquiring, testing, and deploying updates to software and firmware across an environment, then confirming the update actually landed. It covers operating systems, applications, drivers, and network and IoT firmware. The security goal is narrow and concrete: shrink the window between when a vendor ships a fix and when your fleet is running it, because that window is exactly when an attacker has a working exploit and you have a known hole. This guide covers what patch management is, the lifecycle stage by stage, how patches differ by type and urgency, the tooling, and the practices that keep the process from stalling.

What is patch management?

Patch management is a continuous operational process for keeping software current and secure. A patch is a piece of code a vendor releases to correct a problem in an existing program: a security flaw, a functional bug, a performance issue, or a compatibility gap. Patch management is the discipline of getting those patches onto every system that needs them, in a controlled way, without breaking what was working.

It is broader than security alone. Patches fall into a few buckets: security patches that close a vulnerability, bug fixes that correct faulty behavior, and feature or performance updates that change or improve functionality. A security team cares most about the first, but the process has to handle all of them, because they arrive through the same update channels and compete for the same maintenance windows.

The reason it is a security control and not just IT housekeeping is the exploit timeline. When a vendor discloses a vulnerability and ships a patch, the disclosure tells every attacker exactly what to look for. Exploit code often appears within days, sometimes hours. An unpatched system with a public exploit against it is a known, documented way in. Patch management is how a defender closes that door before someone walks through it, and it is why unpatched software remains one of the most common root causes in breach investigations.

Patch management is tightly bound to vulnerability management, but the two are not the same. Vulnerability management finds and prioritizes the weaknesses; patch management is one of the ways you remediate them. A vulnerability scanner tells you a host is missing MS17-010; patch management is the workflow that gets the update tested, approved, deployed, and verified on that host.

The patch management lifecycle

Patch Management Lifecycle
Six stages, run as a cycle
Inventory and assess find the gaps. Prioritize, test, and deploy close them. Verify proves it landed. Then it repeats.
01 · FIND
Inventory
Catalog every asset and its software, OS, and firmware.
02 · FIND
Identify & assess
Match released patches to inventory, assess what each fixes.
03 · CLOSE
Prioritize
Rank by exposure and active exploitation, not severity alone.
04 · CLOSE
Test
Validate in staging or a pilot ring before production.
05 · CLOSE
Deploy
Roll out in stages, immediately for exploited flaws.
06 · PROVE
Verify & document
Confirm the install state, record coverage, feed back failures.
The window you are racing EternalBlue had a patch on March 14, 2017. WannaCry hit on May 12, 2017. The fix existed for two months and was not deployed. Mean time to patch is the number an attacker is racing against.

Patch management runs as a repeating cycle, not a one-time fix. The stages below run in order, and the cycle restarts every time a vendor ships new updates, which for a typical fleet is constant.

1. Inventory. You cannot patch what you do not know you have. The first stage is a current inventory of every asset and the software running on it: operating system versions, installed applications, drivers, firmware. A missing or stale inventory is the most common reason a critical patch never reaches a box, because nobody knew the box existed. Shadow IT and forgotten internet-facing systems are where unpatched holes live longest.

2. Identify and assess. Track the patches vendors release and match them against your inventory. For each relevant patch, assess what it fixes and how urgent it is: a security patch for an actively exploited flaw on an internet-facing server is not the same as a cosmetic bug fix on an isolated workstation. This is where patch management consumes vulnerability and threat intelligence to decide what matters.

3. Prioritize. You cannot deploy everything at once, so rank the patches. Severity matters, but so does context: whether the affected system is exposed, whether the flaw is being exploited in the wild, what the system is worth, and what compensating controls already stand in front of it. A patch for a flaw with a public exploit on an exposed host jumps the queue past a higher-severity flaw on a segmented internal one.

4. Test. Apply the patch in a staging environment or to a pilot group before it touches production. Patches break things: a fix can introduce a regression, conflict with another application, or take a critical service down. Testing is the stage organizations are tempted to skip under pressure, and skipping it is how a security patch becomes an outage. The discipline is to test fast enough that testing does not itself become the deployment delay.

5. Deploy. Roll the tested patch out to production, usually in stages: a small ring first, then wider, so a problem missed in testing surfaces on a few machines instead of all of them. Deployment is scheduled into maintenance windows where it can, and pushed immediately when an actively exploited flaw leaves no room to wait.

6. Verify and document. Confirm the patch actually installed and the system is in the expected state. A deployment that reports success but left machines unpatched, because they were offline, rebooted late, or rolled back, is worse than no deployment, because the dashboard now lies. Verify against the real state, document what was deployed where, and feed any failures back into the next cycle.

Patch management lifecycle at a glance

StageWhat it doesFailure mode if skipped
1. InventoryCatalog every asset and its software, OS, and firmwareUnknown assets never get patched
2. Identify and assessMatch released patches to inventory, assess what each fixesRelevant patches go unnoticed
3. PrioritizeRank by severity, exposure, active exploitation, and asset valueEffort spent on low-risk fixes while exploited flaws wait
4. TestValidate patches in staging or a pilot groupA bad patch takes production down
5. DeployRoll out in stages, immediately for actively exploited flawsThe fix never reaches the fleet
6. Verify and documentConfirm install state, record coverage, feed back failuresDashboard reports patched while hosts stay vulnerable

Types of patches and how urgency differs

Not every patch carries the same weight, and treating them all the same is how the urgent ones get buried. Patches differ by what they fix and by how fast they need to go out.

Security patches close a vulnerability. These are the patch management priority, because each one corresponds to a documented weakness, often with a CVE identifier and a severity score, that an attacker can target. Within security patches, the dividing line is active exploitation: a flaw being used in the wild right now demands emergency deployment, while a high-severity flaw with no known exploit can follow the normal cycle.

Bug fixes correct functional problems that are not security issues: a feature that crashes, a calculation that is wrong, a workflow that hangs. They matter for stability and they ride the same pipeline, but they rarely jump the queue ahead of a security patch.

Feature and performance updates add or change functionality, or make existing functionality faster. They are the lowest security priority and the ones most worth scheduling into a normal window, because they are also the most likely to change behavior users depend on.

Two timing patterns shape the work. Many vendors release on a fixed schedule, the best known being Microsoft's Patch Tuesday, the second Tuesday of each month, which lets teams plan a monthly cycle. Cutting across that is the out-of-band patch: an emergency release outside the schedule, issued when a flaw is severe and exploited enough that waiting for the next cycle is not safe. A mature process runs the steady monthly cadence and can still drop everything to push an out-of-band fix the same day.

Patch management tools

At any real scale, patch management is automated. Manually tracking and updating every machine does not survive past a few dozen endpoints, and the gaps it leaves are exactly the unpatched systems attackers find. Tooling falls into a few categories.

OS-native and vendor tools. Microsoft offers Windows Server Update Services (WSUS) and, increasingly, cloud-based update management through Microsoft Intune, for managing Windows updates across a fleet. Linux distributions manage packages through their own package managers and update mechanisms. These handle the vendor's own software well and are often the baseline.

Dedicated patch and endpoint management platforms go wider, covering multiple operating systems and a large catalog of third-party applications from one console, with scheduling, ring-based rollout, and reporting. This category overlaps with broader endpoint management and unified endpoint management suites that handle configuration and patching together.

Vulnerability management integration closes the loop. When the scanner that finds the missing patch and the system that deploys it share data, prioritization stops being manual: the exploited, exposed, high-value findings can be routed to deployment first, and verification can confirm the specific vulnerability is closed rather than just that an update ran.

The point of tooling is coverage and proof. Good tooling tells you not just what you pushed, but what is actually patched right now across the whole fleet, including the machines that were offline when the job ran.

Patch management best practices

The process fails in predictable places. These practices target the failure modes directly.

Keep the inventory current and complete. Every other stage depends on it. An asset inventory that misses systems guarantees unpatched systems. Reconcile it continuously, and treat the discovery of an unknown internet-facing host as an incident, not a footnote.

Prioritize by exploitability and exposure, not severity alone. A CVSS score is a property of the flaw, not of your environment. Push patches for actively exploited and internet-facing flaws first. Feed threat intelligence and exposure context into the queue so the patches that close real attack paths go out before the ones that look scary on paper but cannot be reached.

Test before you deploy, but do not let testing become the delay. Use a staging environment and a pilot ring so a bad patch surfaces on a few machines, not all of them. For routine patches this is non-negotiable; for an actively exploited flaw, shrink the test ring and accept the tradeoff, because the exploit risk now outweighs the regression risk.

Automate, and stage the rollout. Automate identification, deployment, and reporting so the process scales past human tracking. Deploy in rings, narrow to wide, so problems are contained. Schedule into maintenance windows for routine work and keep an emergency path for out-of-band fixes.

Verify against real state and measure the gap. Do not trust the deployment job's success message. Confirm machines are actually patched, chase the ones that are not, and track the metric that matters: the time between a patch being available and your fleet running it. That mean-time-to-patch is the number an attacker is racing against.

Have a rollback plan. Patches break things. Know how to back a patch out before you push it, so a bad deployment is a recoverable event and not a prolonged outage that pressures the team into skipping testing next time.

For a defender, patch management is one of the highest-leverage controls there is, because it removes known, documented, exploitable holes rather than trying to detect attacks against them after the fact. It is unglamorous and it is constant, and the organizations that do it well are the ones that have made it a measured, automated, verified process instead of a backlog someone gets to when there is time.

Frequently Asked Questions

What is patch management?

Patch management is the process of identifying, acquiring, testing, and deploying software and firmware updates across an environment, then verifying they installed. Its security purpose is to close known vulnerabilities by shrinking the window between when a vendor ships a fix and when every affected system is running it. It covers operating systems, applications, drivers, and firmware.

What is the difference between patch management and vulnerability management?

Vulnerability management finds and prioritizes weaknesses across the environment. Patch management is one of the ways those weaknesses get remediated. A scanner reports that a host is missing a specific update; patch management is the workflow that tests, approves, deploys, and verifies that update on the host. They work together, but patching is the remediation step, not the discovery step.

What are the stages of the patch management lifecycle?

In order: inventory (catalog assets and software), identify and assess (match released patches to inventory), prioritize (rank by severity, exposure, and active exploitation), test (validate in staging or a pilot group), deploy (roll out in stages), and verify and document (confirm the install and record coverage). The cycle repeats as vendors ship new patches.

What is the difference between a patch and an out-of-band patch?

A regular patch is released on a vendor's normal schedule, such as Microsoft's monthly Patch Tuesday on the second Tuesday of each month. An out-of-band patch is an emergency release issued outside that schedule, when a flaw is severe and actively exploited enough that waiting for the next cycle is unsafe. Out-of-band patches are deployed as fast as testing allows.

How quickly should security patches be deployed?

It depends on risk. A flaw that is being actively exploited in the wild, especially on an internet-facing system, demands emergency deployment, often within hours or days. A high-severity flaw with no known exploit can follow the normal monthly cycle. Prioritize by exploitability and exposure, not severity score alone, and measure your mean time to patch against the speed at which exploits appear.

Why is patch testing important?

Patches can break things: introduce regressions, conflict with other software, or take a critical service down. Testing in a staging environment or a pilot ring catches these before a patch reaches the whole fleet, so a bad update affects a few machines instead of all of them. The discipline is to test fast enough that testing itself does not become the deployment delay.

Can patch management be fully automated?

Identification, deployment, and reporting can and should be automated, because manual patching does not scale past a few dozen endpoints. Testing and prioritization still need human judgment, especially for high-risk patches and emergency releases. The strongest setups automate the repeatable work, stage rollouts in rings, and keep verification against real system state rather than trusting a job's success message.

The bottom line

Patch management is the process of getting software fixes onto every system that needs them, tested and verified, before an attacker uses the hole the fix was meant to close. The lifecycle is six repeating stages: inventory what you have, identify and assess released patches, prioritize by real risk, test, deploy in stages, and verify the result. It runs forever, because vendors ship patches forever.

The discipline that separates a working program from a backlog is in the details that get skipped under pressure: a complete inventory so nothing is missed, prioritization by exploitability and exposure rather than raw severity, testing that is fast enough not to become the delay, automation that scales past human tracking, and verification against real state so the dashboard does not lie. EternalBlue had a patch for two months before WannaCry. The fix was never the hard part. Deploying it everywhere, in time, is.

Frequently asked questions

What is patch management?

Patch management is the process of identifying, acquiring, testing, and deploying software and firmware updates across an environment, then verifying they installed. Its security purpose is to close known vulnerabilities by shrinking the window between when a vendor ships a fix and when every affected system is running it. It covers operating systems, applications, drivers, and firmware.

What is the difference between patch management and vulnerability management?

Vulnerability management finds and prioritizes weaknesses across the environment. Patch management is one of the ways those weaknesses get remediated. A scanner reports that a host is missing a specific update; patch management is the workflow that tests, approves, deploys, and verifies that update on the host. They work together, but patching is the remediation step, not the discovery step.

What are the stages of the patch management lifecycle?

In order: inventory (catalog assets and software), identify and assess (match released patches to inventory), prioritize (rank by severity, exposure, and active exploitation), test (validate in staging or a pilot group), deploy (roll out in stages), and verify and document (confirm the install and record coverage). The cycle repeats as vendors ship new patches.

What is the difference between a patch and an out-of-band patch?

A regular patch is released on a vendor's normal schedule, such as Microsoft's monthly Patch Tuesday on the second Tuesday of each month. An out-of-band patch is an emergency release issued outside that schedule, when a flaw is severe and actively exploited enough that waiting for the next cycle is unsafe. Out-of-band patches are deployed as fast as testing allows.

How quickly should security patches be deployed?

It depends on risk. A flaw that is being actively exploited in the wild, especially on an internet-facing system, demands emergency deployment, often within hours or days. A high-severity flaw with no known exploit can follow the normal monthly cycle. Prioritize by exploitability and exposure, not severity score alone, and measure your mean time to patch against the speed at which exploits appear.

Why is patch testing important?

Patches can break things: introduce regressions, conflict with other software, or take a critical service down. Testing in a staging environment or a pilot ring catches these before a patch reaches the whole fleet, so a bad update affects a few machines instead of all of them. The discipline is to test fast enough that testing itself does not become the deployment delay.

Practice track
SOC Analyst Tier 1
Build your foundational skills to monitor, detect, and escalate security alerts. This track includes essential tools, basic log analysis, and introductory incident response labs.
Browse SOC Analyst Tier 1 Labs โ†’