--- name: patch-vulnerability-mgmt description: Coordinate patch management and vulnerability remediation across all systems. Use when scheduling patch deployments, tracking patch compliance, managing vulnerability remediation SLAs, coordinating security patches, or managing patch testing. Triggers on phrases like "patch management", "vulnerability remediation", "security patch", "patch deployment", "patch testing", "patch compliance", "patch window", "vulnerability scan". --- # Patch & Vulnerability Management Maintain system security and stability through systematic patch deployment and vulnerability remediation. ## Workflow ### 1. Vulnerability Assessment & Prioritization 1. **Continuous vulnerability scanning**: - External vulnerability scans (weekly, credential-less and authenticated) - Internal vulnerability scans (weekly for critical, monthly for all systems) - Web application scanning (OWASP Top 10 coverage) - Container and cloud infrastructure scanning - Compliance scanning (CIS benchmarks, regulatory requirements) 2. **Vulnerability intelligence integration**: - CVE feed integration with CVSS scoring - Exploit availability assessment (exploit-db, threat intelligence feeds) - EPSS (Exploit Prediction Scoring System) integration - Business context risk scoring (asset criticality, exposure, compensating controls) - Threat actor targeting intelligence 3. **Risk-based prioritization**: - Risk score = CVSS × exploitability × asset criticality × exposure × compensating controls - Critical: active exploit + internet-facing + CVSS 9.0+ (remediate within 24-48 hours) - High: CVSS 7.0-8.9 or internal critical asset (remediate within 7 days) - Medium: CVSS 4.0-6.9 or non-critical asset (remediate within 30 days) - Low: CVSS <4.0 or compensated (remediate within 90 days) ### 2. Patch Acquisition & Testing 1. **Patch intelligence and tracking**: - Vendor patch advisory monitoring (Microsoft Patch Tuesday, security bulletins) - Patch applicability assessment per environment - Patch dependency and conflict analysis - Known issue and regression tracking - Patch bundling optimization (reduce deployment events) 2. **Patch testing protocol**: - Test environment mirroring production configurations - Pilot group deployment (5-10% of production, low-risk systems first) - Functional testing: application compatibility, integration validation - Performance testing: resource utilization, response time impact - Security validation: vulnerability remediation confirmation - Pilot observation period: minimum 48 hours 3. **Change management integration**: - Change request submission with testing evidence - Risk assessment and rollback plan documentation - CAB approval for production deployment - Maintenance window scheduling - Stakeholder notification ### 3. Patch Deployment & Execution 1. **Deployment strategy and scheduling**: - Staged rollout: pilot → wave 1 (low-risk) → wave 2 (standard) → wave 3 (critical/complex) - Maintenance window optimization (minimize business disruption) - Deployment by system criticality and risk tolerance - Geographic and timezone considerations - Parallel deployment streams for capacity 2. **Automated deployment execution**: - Pre-deployment checks: backup verification, system health validation, disk space check - Patch deployment via SCCM, Intune, Jamf, Ansible, or vendor tools - Real-time deployment monitoring and progress tracking - Automated rollback on deployment failure - Post-deployment validation: reboot verification, patch presence, service status 3. **Manual deployment for complex systems**: - Database and application server manual patching - Vendor-specific patching procedures - Custom application patching coordination - Legacy system patching with enhanced precautions - Vendor support coordination for complex deployments ### 4. Post-Deployment Validation & Compliance 1. **Verification and confirmation**: - Patch presence verification (scan post-deployment) - System functionality validation - Application compatibility confirmation - Performance baseline comparison - Security vulnerability remediation confirmation 2. **Compliance tracking and reporting**: - Patch compliance rate by system type and criticality - SLA compliance tracking (remediation within target timeframe) - Non-compliance justification and risk acceptance documentation - Regulatory compliance evidence collection - Trend analysis: compliance improvement over time 3. **Exception and risk acceptance management**: - Patch exemption request workflow (testing pending, compatibility issue, business critical) - Compensating controls documentation for exempted vulnerabilities - Expiration date for all exemptions (maximum 90 days, renewable with justification) - Regular exemption review and cleanup - Executive notification for high-risk exemptions ### 5. Continuous Improvement 1. **Patch program metrics and optimization**: - Deployment success rate (target: >95%) - Mean time to remediate (MTTR) by severity - Patch-related incident rate - Rollback frequency and root cause - Business disruption measurement 2. **Program maturity advancement**: - Automation expansion (reduce manual patching) - Predictive patching (AI-driven deployment timing optimization) - Zero-day response capability improvement - Patch testing environment fidelity improvement - Vendor patch quality feedback loop 3. **Knowledge management**: - Patch knowledge base (known issues, workarounds, compatibility notes) - Post-deployment lessons learned documentation - Patch deployment runbook updates - Vendor patch quality tracking and reporting ## Templates & Frameworks ### Patch Deployment Wave Plan ``` PATCH DEPLOYMENT — May 2025 Security Updates ============================================== SCHEDULE: Pilot: May 1-3 (5% — non-critical dev/test systems) Wave 1: May 4-6 (25% — development, internal tools) Wave 2: May 7-9 (40% — standard production systems) Wave 3: May 10-12 (30% — critical production, customer-facing) PATCH SCOPE: Operating Systems: Windows 10/11, Windows Server 2019/2022, RHEL 8/9, Ubuntu 22.04 Applications: Office 365, Adobe, browsers, Java, Flash alternatives Security: Antivirus definitions, firewall rules, endpoint protection agents Total patches: 47 updates across 23 products TESTING RESULTS (PILOT): Patches applied: 47/47 (100%) Systems rebooted: 23/25 (92% — 2 deferred, 1 failed) Application issues: 1 (legacy reporting tool — workaround documented) Performance impact: None detected Rollbacks: 0 MAINTENANCE WINDOWS: Weekdays: 22:00 - 06:00 local time Weekend: Saturday 00:00 - Sunday 06:00 Extended window (Wave 3): Friday 20:00 - Monday 08:00 ROLLBACK READINESS: System backups: Completed prior to each wave Restore tested: Pilot systems — verified ✓ Rollback team: On-call through Sunday 12:00 Emergency contact: Patch Manager — [phone, email] NOTIFICATION TIMELINE: T-7 days: Stakeholder notification sent T-3 days: Reminder with specific system impact T-1 day: Final confirmation and maintenance window reminder Post-deployment: Success/failure summary report ``` ### Vulnerability Remediation SLA ``` VULNERABILITY REMEDIATION SLA ============================== CRITICAL (CVSS 9.0+ with active exploit or internet-facing): Assessment: 4 hours Patch available: Deploy within 48 hours Patch not available: Compensating controls within 24 hours, monitor for patch Escalation: CISO notification within 4 hours Example: Log4Shell-class vulnerabilities HIGH (CVSS 7.0-8.9 or internal critical asset): Assessment: 24 hours Remediation: 7 calendar days Compensating controls: Within 48 hours if patch delayed Escalation: IT Director notification if SLA at risk Example: RCE, privilege escalation vulnerabilities MEDIUM (CVSS 4.0-6.9): Assessment: 3 business days Remediation: 30 calendar days Bundling: Include in next regular patch cycle if >14 days remaining Escalation: Team lead notification if SLA at risk Example: Information disclosure, moderate impact vulnerabilities LOW (CVSS < 4.0): Assessment: 7 business days Remediation: 90 calendar days Bundling: Include in quarterly patch cycle Escalation: None required Example: Minor information disclosure, best practice violations RISK ACCEPTANCE (Any Severity): Valid reasons: Compatibility issue, vendor patch not available, business-critical system Maximum duration: 90 days (renewable with executive approval) Required: Compensating controls documented and implemented Review: Monthly expiration tracking and cleanup ``` ## Integration Points - Vulnerability scanners (Qualys, Tenable, Rapid7, Nessus): Vulnerability discovery - Patch management platforms (SCCM/MECM, Intune, Jamf, Ivanti, BigFix): Automated patch deployment - Vulnerability management platforms (Rapid7 VM, Tenable.io, Qualys VM): Vulnerability lifecycle - SIEM/SOAR: Vulnerability alerting and automated response - ITSM platforms: Change management, incident tracking - Configuration management: Patch compliance verification - Threat intelligence platforms (Recorded Future, AlienVault OTX): Exploit intelligence - Compliance platforms: Vulnerability compliance evidence ## Edge Cases - **Zero-day vulnerability with no patch**: Implement compensating controls immediately (WAF rules, IPS signatures, network segmentation); monitor for vendor patch; threat hunting for exploitation indicators - **Patch causes critical regression**: Immediate rollback; isolate affected systems; vendor escalation; temporary compensating controls; expedited re-testing of revised patch - **Legacy/unsupported systems**: Compensating controls (network isolation, application whitelisting, enhanced monitoring); vendor support extension; migration planning - **Global organization with limited maintenance windows**: 24/7 deployment teams across timezones; rolling wave deployment; automated after-hours patching with enhanced monitoring - **Regulatory compliance requirements**: Enhanced documentation; evidence collection for audits; specific remediation timeframes by regulation; compensating control validation ## Output ### Patch & Vulnerability Dashboard ``` PATCH & VULNERABILITY STATUS — April 2025 ============================================ VULNERABILITY INVENTORY: Total vulnerabilities: 342 Critical: 3 (remediation in progress) High: 18 (12 within SLA, 6 at risk) Medium: 127 (all within SLA) Low: 194 (all within SLA) PATCH COMPLIANCE: Overall compliance: 94.7% (target: >95% — close ⚠) Critical systems: 97.2% ✓ Standard systems: 93.8% ⚠ Endpoint devices: 96.1% ✓ REMEDIATION METRICS: Mean time to remediate: Critical: 26 hours (target: <48h ✓) High: 5.2 days (target: <7 days ✓) Medium: 18 days (target: <30 days ✓) Low: 42 days (target: <90 days ✓) PATCH DEPLOYMENT (LAST CYCLE): Systems patched: 2,834/2,997 (94.6%) Deployment success rate: 96.2% ✓ Rollbacks: 3 (0.1%) Patch-related incidents: 1 (minor, resolved) RISK ACCEPTANCE: Active exemptions: 12 Expiring within 30 days: 4 Overdue for review: 1 ⚠ TREND ANALYSIS: Vulnerability count: ↓ 12% from last month Patch compliance: ↑ 1.3% from last month Mean remediation time: ↓ 8% from last month Patch-related incidents: ↓ 75% from last month ✓ UPCOMING: Next patch cycle: May 1-12 (security updates) Vendor patch advisory: Microsoft Patch Tuesday — April 15 Scheduled vulnerability scan: April 17 (full infrastructure) ``` ## Trigger Phrases "patch management", "vulnerability remediation", "security patch", "patch deployment", "patch testing", "patch compliance", "patch window", "vulnerability scan", "CVE", "patch cycle", "zero-day", "patch rollback", "compensating controls", "risk acceptance", "patch SLA"