SECURITY ADVISORY: The patching window is shrinking

A new Five Eyes advisory published this week confirms what we're seeing in client environments: the time available to respond to a known vulnerability is shrinking fast. The advisory's message is urgent; AI-assisted attacks are scaling faster, exploits are developing more quickly and the gap between a vulnerability becoming known and being actively weaponised has narrowed dramatically.

The recommended mitigations aren't new, but the time you have to act on them is a lot less.

The 14-day problem

Cyber Essentials requires critical patches to be applied within 14 days of release. For many organisations, that deadline is already a stretch. But in the current threat landscape, 14 days is no longer a target to aim for—it should be the worst case you should allow yourself.

We're now working in an environment where the realistic window between patch release and active exploitation can be measured in hours, not weeks. The traditional approach of testing patches in a staging environment before rolling them out broadly, which has been sound practice for years, is increasingly untenable. By the time testing is complete, the vulnerability is already being exploited.

Ultimately, Cyber Essentials sets a floor, not a standard. Meeting the 14-day requirement is compliance. Treating it as your target is risk. Your patching posture should be driven by the current threat environment, not the minimum regulatory expectation.

What this means in practice

A faster threat environment doesn’t mean abandoning all testing, but it does mean rethinking the model. Here are some practical steps:

Prioritise. And do so, ruthlessly. Not all patches carry equal risk, so focus your fastest deployment on internet-facing systems, edge devices and anything in your critical infrastructure. Firewalls and VPN appliances in particular are a primary entry point for current threat actors.

Compress your testing window, not your coverage. Where a staging test is necessary, limit it to hours, not days. Accept that some residual risk in the testing process is lower than the risk of a delayed rollout.

Plan for the gaps. Faster patching is essential, but it’s not a complete strategy. Reduce your attack surface, limit lateral movement within your environment and ensure that what is externally exposed is as small as possible. A vulnerability you cannot patch immediately should not give an attacker a path to everything.

Review your legacy tech. Systems that can’t be patched promptly (or at all) carry disproportionate risk in the current environment. Identify them, isolate them where possible and plan for their replacement.

The broader picture

The Five Eyes advisory is clear that AI is accelerating the pace of attacks at scale. Phishing campaigns are now customised per target and deployed in volume. Known vulnerabilities—particularly on Cisco and Fortinet edge devices—are being exploited faster than ever. The advice to patch, reduce legacy exposure and prepare proactively has not changed. The urgency behind it has.

If you would like to discuss your current patching posture, review your exposure or understand how your existing controls measure up against the current threat landscape, let’s talk.