IT AI Skill

Patch Vulnerability Mgmt

Coordinate patch management and vulnerability remediation across all systems. Use when scheduling patch deployments, tracking patch compliance, managing vulnerability remediation SLAs, coordinating security patches, or managing patch testing. Triggers on ph...

Patch & Vulnerability Management

Maintain system security and stability through systematic patch deployment and vulnerability remediation.

Workflow

1. Vulnerability Assessment & Prioritization

Continuous vulnerability scanning:

External vulnerability scans (weekly, credential-less and authenticated)
Internal vulnerability scans (weekly for critical, monthly for all systems)
Web application scanning (OWASP Top 10 coverage)
Container and cloud infrastructure scanning
Compliance scanning (CIS benchmarks, regulatory requirements)

Vulnerability intelligence integration:

CVE feed integration with CVSS scoring
Exploit availability assessment (exploit-db, threat intelligence feeds)
EPSS (Exploit Prediction Scoring System) integration
Business context risk scoring (asset criticality, exposure, compensating controls)
Threat actor targeting intelligence

Risk-based prioritization:

Risk score = CVSS × exploitability × asset criticality × exposure × compensating controls
Critical: active exploit + internet-facing + CVSS 9.0+ (remediate within 24-48 hours)
High: CVSS 7.0-8.9 or internal critical asset (remediate within 7 days)
Medium: CVSS 4.0-6.9 or non-critical asset (remediate within 30 days)
Low: CVSS <4.0 or compensated (remediate within 90 days)

2. Patch Acquisition & Testing

Patch intelligence and tracking:

Vendor patch advisory monitoring (Microsoft Patch Tuesday, security bulletins)
Patch applicability assessment per environment
Patch dependency and conflict analysis
Known issue and regression tracking
Patch bundling optimization (reduce deployment events)

Patch testing protocol:

Test environment mirroring production configurations
Pilot group deployment (5-10% of production, low-risk systems first)
Functional testing: application compatibility, integration validation
Performance testing: resource utilization, response time impact
Security validation: vulnerability remediation confirmation
Pilot observation period: minimum 48 hours

Change management integration:

Change request submission with testing evidence
Risk assessment and rollback plan documentation
CAB approval for production deployment
Maintenance window scheduling
Stakeholder notification

3. Patch Deployment & Execution

Deployment strategy and scheduling:

Staged rollout: pilot → wave 1 (low-risk) → wave 2 (standard) → wave 3 (critical/complex)
Maintenance window optimization (minimize business disruption)
Deployment by system criticality and risk tolerance
Geographic and timezone considerations
Parallel deployment streams for capacity

Automated deployment execution:

Pre-deployment checks: backup verification, system health validation, disk space check
Patch deployment via SCCM, Intune, Jamf, Ansible, or vendor tools
Real-time deployment monitoring and progress tracking
Automated rollback on deployment failure
Post-deployment validation: reboot verification, patch presence, service status

Manual deployment for complex systems:

Database and application server manual patching
Vendor-specific patching procedures
Custom application patching coordination
Legacy system patching with enhanced precautions
Vendor support coordination for complex deployments

4. Post-Deployment Validation & Compliance

Verification and confirmation:

Patch presence verification (scan post-deployment)
System functionality validation
Application compatibility confirmation
Performance baseline comparison
Security vulnerability remediation confirmation

Compliance tracking and reporting:

Patch compliance rate by system type and criticality
SLA compliance tracking (remediation within target timeframe)
Non-compliance justification and risk acceptance documentation
Regulatory compliance evidence collection
Trend analysis: compliance improvement over time

Exception and risk acceptance management:

Patch exemption request workflow (testing pending, compatibility issue, business critical)
Compensating controls documentation for exempted vulnerabilities
Expiration date for all exemptions (maximum 90 days, renewable with justification)
Regular exemption review and cleanup
Executive notification for high-risk exemptions

5. Continuous Improvement

Patch program metrics and optimization:

Deployment success rate (target: >95%)
Mean time to remediate (MTTR) by severity
Patch-related incident rate
Rollback frequency and root cause
Business disruption measurement

Program maturity advancement:

Automation expansion (reduce manual patching)
Predictive patching (AI-driven deployment timing optimization)
Zero-day response capability improvement
Patch testing environment fidelity improvement
Vendor patch quality feedback loop

Knowledge management:

Patch knowledge base (known issues, workarounds, compatibility notes)
Post-deployment lessons learned documentation
Patch deployment runbook updates
Vendor patch quality tracking and reporting

Templates & Frameworks

Patch Deployment Wave Plan

PATCH DEPLOYMENT — May 2025 Security Updates
==============================================

SCHEDULE:
  Pilot:       May 1-3 (5% — non-critical dev/test systems)
  Wave 1:      May 4-6 (25% — development, internal tools)
  Wave 2:      May 7-9 (40% — standard production systems)
  Wave 3:      May 10-12 (30% — critical production, customer-facing)

PATCH SCOPE:
  Operating Systems: Windows 10/11, Windows Server 2019/2022, RHEL 8/9, Ubuntu 22.04
  Applications: Office 365, Adobe, browsers, Java, Flash alternatives
  Security: Antivirus definitions, firewall rules, endpoint protection agents
  Total patches: 47 updates across 23 products

TESTING RESULTS (PILOT):
  Patches applied: 47/47 (100%)
  Systems rebooted: 23/25 (92% — 2 deferred, 1 failed)
  Application issues: 1 (legacy reporting tool — workaround documented)
  Performance impact: None detected
  Rollbacks: 0

MAINTENANCE WINDOWS:
  Weekdays: 22:00 - 06:00 local time
  Weekend: Saturday 00:00 - Sunday 06:00
  Extended window (Wave 3): Friday 20:00 - Monday 08:00

ROLLBACK READINESS:
  System backups: Completed prior to each wave
  Restore tested: Pilot systems — verified ✓
  Rollback team: On-call through Sunday 12:00
  Emergency contact: Patch Manager — [phone, email]

NOTIFICATION TIMELINE:
  T-7 days: Stakeholder notification sent
  T-3 days: Reminder with specific system impact
  T-1 day: Final confirmation and maintenance window reminder
  Post-deployment: Success/failure summary report

Vulnerability Remediation SLA

VULNERABILITY REMEDIATION SLA
==============================

CRITICAL (CVSS 9.0+ with active exploit or internet-facing):
  Assessment: 4 hours
  Patch available: Deploy within 48 hours
  Patch not available: Compensating controls within 24 hours, monitor for patch
  Escalation: CISO notification within 4 hours
  Example: Log4Shell-class vulnerabilities

HIGH (CVSS 7.0-8.9 or internal critical asset):
  Assessment: 24 hours
  Remediation: 7 calendar days
  Compensating controls: Within 48 hours if patch delayed
  Escalation: IT Director notification if SLA at risk
  Example: RCE, privilege escalation vulnerabilities

MEDIUM (CVSS 4.0-6.9):
  Assessment: 3 business days
  Remediation: 30 calendar days
  Bundling: Include in next regular patch cycle if >14 days remaining
  Escalation: Team lead notification if SLA at risk
  Example: Information disclosure, moderate impact vulnerabilities

LOW (CVSS < 4.0):
  Assessment: 7 business days
  Remediation: 90 calendar days
  Bundling: Include in quarterly patch cycle
  Escalation: None required
  Example: Minor information disclosure, best practice violations

RISK ACCEPTANCE (Any Severity):
  Valid reasons: Compatibility issue, vendor patch not available, business-critical system
  Maximum duration: 90 days (renewable with executive approval)
  Required: Compensating controls documented and implemented
  Review: Monthly expiration tracking and cleanup

Integration Points

Vulnerability scanners (Qualys, Tenable, Rapid7, Nessus): Vulnerability discovery
Patch management platforms (SCCM/MECM, Intune, Jamf, Ivanti, BigFix): Automated patch deployment
Vulnerability management platforms (Rapid7 VM, Tenable.io, Qualys VM): Vulnerability lifecycle
SIEM/SOAR: Vulnerability alerting and automated response
ITSM platforms: Change management, incident tracking
Configuration management: Patch compliance verification
Threat intelligence platforms (Recorded Future, AlienVault OTX): Exploit intelligence
Compliance platforms: Vulnerability compliance evidence

Edge Cases

Zero-day vulnerability with no patch: Implement compensating controls immediately (WAF rules, IPS signatures, network segmentation); monitor for vendor patch; threat hunting for exploitation indicators
Patch causes critical regression: Immediate rollback; isolate affected systems; vendor escalation; temporary compensating controls; expedited re-testing of revised patch
Legacy/unsupported systems: Compensating controls (network isolation, application whitelisting, enhanced monitoring); vendor support extension; migration planning
Global organization with limited maintenance windows: 24/7 deployment teams across timezones; rolling wave deployment; automated after-hours patching with enhanced monitoring
Regulatory compliance requirements: Enhanced documentation; evidence collection for audits; specific remediation timeframes by regulation; compensating control validation

Output

Patch & Vulnerability Dashboard

PATCH & VULNERABILITY STATUS — April 2025
============================================

VULNERABILITY INVENTORY:
  Total vulnerabilities: 342
  Critical: 3 (remediation in progress)
  High: 18 (12 within SLA, 6 at risk)
  Medium: 127 (all within SLA)
  Low: 194 (all within SLA)

PATCH COMPLIANCE:
  Overall compliance: 94.7% (target: >95% — close ⚠)
  Critical systems: 97.2% ✓
  Standard systems: 93.8% ⚠
  Endpoint devices: 96.1% ✓

REMEDIATION METRICS:
  Mean time to remediate:
    Critical: 26 hours (target: <48h ✓)
    High: 5.2 days (target: <7 days ✓)
    Medium: 18 days (target: <30 days ✓)
    Low: 42 days (target: <90 days ✓)

PATCH DEPLOYMENT (LAST CYCLE):
  Systems patched: 2,834/2,997 (94.6%)
  Deployment success rate: 96.2% ✓
  Rollbacks: 3 (0.1%)
  Patch-related incidents: 1 (minor, resolved)

RISK ACCEPTANCE:
  Active exemptions: 12
  Expiring within 30 days: 4
  Overdue for review: 1 ⚠

TREND ANALYSIS:
  Vulnerability count: ↓ 12% from last month
  Patch compliance: ↑ 1.3% from last month
  Mean remediation time: ↓ 8% from last month
  Patch-related incidents: ↓ 75% from last month ✓

UPCOMING:
  Next patch cycle: May 1-12 (security updates)
  Vendor patch advisory: Microsoft Patch Tuesday — April 15
  Scheduled vulnerability scan: April 17 (full infrastructure)

Trigger Phrases

"patch management", "vulnerability remediation", "security patch", "patch deployment", "patch testing", "patch compliance", "patch window", "vulnerability scan", "CVE", "patch cycle", "zero-day", "patch rollback", "compensating controls", "risk acceptance", "patch SLA"