Patching Fast and Slow

The patch wave is here. Not coming — here.

The Verizon 2026 DBIR reports that vulnerability exploitation now accounts for 31% of initial access vectors, overtaking credential abuse and phishing for the first time. Mandiant’s M-Trends 2026 puts the number at 32% — the sixth consecutive year exploitation has led. Meanwhile, patching is getting worse: only 26% of CISA KEV catalog vulnerabilities were fully remediated last year, down from 38% the year before. Median time to patch climbed to 43 days.

Finding vulnerabilities is faster now, at larger scale, across more targets. AI did that. No matter how much ethics training you run on a frontier model, it will still be tricked into helping. This is not a flaw that gets fixed with better guardrails. Guardrails on probabilistic systems are probabilistic. Accept that as a fact and plan accordingly.

But the acceleration is symmetric. White-hat hackers find more bugs. Software vendors find more bugs in their own stuff. AI-assisted code review tools are discovering zero-day vulnerabilities in production open-source code at a pace that would have been absurd two years ago. Speed, scale, and scope of vulnerability discovery have increased across the board — not only on the offensive side.

The question is what happens next. Defenders probably won’t keep up with finding. That’s well beyond their incentives and their budgets. But they could keep up with patching. They just don’t, currently. And the gap between the rate of discovery and the rate of patching is where the pain concentrates.

The Red Queen’s race

“Now, here, you see, it takes all the running you can do, to keep in the same place.”

That’s the Red Queen talking to Alice in Lewis Carroll’s Through the Looking-Glass (1871), and it is the most accurate description of the modern patching treadmill I know. You don’t patch to get ahead. You patch to not fall behind.

The companies that will survive the patch wave are the ones that internalize this. Keeping up is how you stay in the game. Not winning — staying in.

The dilemma

Here’s where it gets uncomfortable.

If you don’t patch, you get owned by commodity exploits and look stupid. Think NotPetya: a compromised update to M.E.Doc, a Ukrainian tax-preparation program, used as a delivery mechanism for a wiper that spread laterally via the EternalBlue SMB exploit. The original NotPetya hit in June 2017, was attributed to Russia’s GRU (Sandworm), and caused over $10 billion in damages. The attack relied on organizations that hadn’t patched against EternalBlue — a vulnerability with an available fix. That’s the cost of patching slow.

If you patch fast — automatically, aggressively, the moment updates drop — you open yourself to supply chain compromise. The SolarWinds campaign is the textbook case: the SUNBURST backdoor was inserted into legitimate Orion software updates, discovered in December 2020, and attributed to Russia’s SVR (APT29). Roughly 18,000 customers received the poisoned update. The attackers had access to SolarWinds’ build systems since September 2019. That’s the cost of patching fast and trusting the pipeline.

Both were state-sponsored operations. Both exploited the patch cycle itself — one by punishing organizations that didn’t patch, the other by weaponizing the trust that patching requires. The security director at a mid-size enterprise faces a genuine bind: patch aggressively and risk being the next supply chain victim, or wait and verify and risk being the next commodity exploit statistic.

Either way, you can look stupid. That’s the dilemma. And — like the two cognitive systems in Kahneman’s Thinking, Fast and Slow — each mode of patching has its own risk profile, its own failure mode, and its own logic. You can’t resolve the problem by picking one mode and ignoring the other.

On balance, patch fast

There is no universal answer. But if I had to pick a default, I’d pick fast.

Patching fast cuts off the majority of opportunistic attackers. Script kiddies, commodity ransomware crews, anyone scanning for known CVEs with public exploits — they’re all pruned from your threat pool the moment you close the window. What remains is the state-sponsored operators and the seriously professional organized crime groups. Those are harder adversaries, but they’re also a much smaller population, and they use different tradecraft that patching alone wouldn’t stop anyway.

The math works out: the risk of a supply chain compromise is real but lower-probability than the near-certainty of exploitation through unpatched known vulnerabilities. The DBIR numbers make this plain. 31% of breaches start with vulnerability exploitation. Supply chain attacks are devastating when they happen, but they don’t happen at that frequency.

So patch fast. But don’t stop there.

Making the environment less reliable for attackers

Patching is necessary but not sufficient. The complementary move is to make your environment structurally less predictable.

This is the core of what I called “The Offense Death Cycle” in a recent Cyber Defense Review paper (Vol. 11, No. 1, April 2026): attackers depend on the stasis and predictability of your environment. Their operations — whether a ransomware campaign or a sustained intelligence collection effort — require that the infrastructure they’ve mapped stays mapped, that the credentials they’ve stolen stay valid, that the lateral movement paths they’ve charted remain open. Every operation needs that stability to reach its objective.

The offense death cycle is about deliberately denying that stability. Not making your environment less vulnerable in the traditional sense, and not making it less connected. Making it less predictable. Rotating credentials on a schedule that doesn’t match what an attacker would expect. Changing network configurations. Introducing controlled environmental variance that forces the attacker to re-orient continuously, burning their resources and their operational timeline.

This pairs with patching because it addresses the residual risk that patching alone cannot. If a supply chain compromise does get through — if a poisoned update gives an attacker initial access — environmental unpredictability limits what they can do with it and how long they can sustain it. The operation dies not because you detected it, but because the environment it depended on shifted under it.

Defense in depth is still the foundation

None of this replaces the fundamentals. If your security hinges entirely on your internet-facing systems not being vulnerable, you’ve already lost. Zero days exist. Supply chain attacks exist. Misconfigurations exist.

Multi-factor authentication. Credential rotation. Network segmentation. Ingress and egress control. Isolating critical environments. These are the principles of security engineering — what Ross Anderson has been writing about for decades in Security Engineering. They’re old and they’re useful, and they don’t stop being useful because AI made vulnerability discovery faster.

The basic question a defender should be able to answer: if an attacker gets past the perimeter — through an unpatched vulnerability, through a supply chain compromise, through a phishing email, through whatever — what stops them from reaching the crown jewels? If the answer is “nothing,” then the patching speed debate is academic. You have bigger problems.

The punchline

The new stuff is basically old stuff, but more of it at higher pace. AI accelerates vulnerability discovery. That accelerates the patch cycle. That accelerates the dilemma between patching fast and patching slow.

System 1 patching — automatic, immediate, trust-the-pipeline — is your default for the commodity threat. System 2 patching — staged, verified, threat-modeled — is what you engage for your critical supply chain dependencies. You need both. The trick is knowing which mode to engage for which class of asset, which threat model, which risk tolerance.

There is no universal rule. You will still need to do the work: threat model your environment, understand your business objectives, know your security capabilities and budget. You will probably want an external perspective — preferably from the offensive side, from someone who knows how cyber operations are planned and executed, who can tell you what dependencies in your environment matter most to an attacker.

Patch fast by default. Layer environmental unpredictability on top. Keep the defense-in-depth fundamentals non-negotiable. And accept that the Red Queen’s race has no finish line — the running is the point.