Skip to content
Security Overview
Services
AboutBlogContact
SupportGet Started
Home
Services
AboutBlogContactSupportGet Started
Operations

What patching looks like when volume doubles

Two teams can hit the same patch SLA and run different programs. As patch volume keeps rising, the metric stops telling you which one you have.

TSTrevor Spaniola·Founder & CEO
·
May 14, 2026·3 min read

Microsoft shipped 137 patches this month. Your patch SLA was written when that number was 60.

That math used to mean "patch faster." It means something different now.

May's Patch Tuesday closed 137 CVEs. April closed 167. Five months into 2026, Microsoft has shipped over 500 CVEs, and Microsoft itself is signaling more to come. A 30-day SLA written when the monthly count was 60 produces a different program than the same 30-day SLA against today's volume, even when both programs report compliance.

Two programs, same SLA

The first patches everything in priority order and barely makes 30 days on the last item. The second formally defers the lower-priority work with documented compensating controls and reports compliance on what remains in scope. Both hit the SLA. Only one has a prioritization function that scales.

The difference is invisible in the metric.

Watch the tail, not the median

A high compliance rate hides the tail. The CVEs in the tail are usually the ones in CISA's KEV catalog two weeks later. Median time-to-patch is comforting. Time-to-patch on the slowest items is diagnostic.

What prioritization muscle requires

If "patch faster" isn't the only lever, the levers that matter look like this:

  • Exploit-likelihood signal at intake. EPSS scores, KEV membership, and exposure (is the asset on the internet?) order the queue before the ticket is opened. The decision is whether something jumps the queue, not whether it gets fixed.
  • A defined "won't patch this cycle" artifact. The list of CVEs that came in, were triaged, and were intentionally deferred, with the compensating control and the next review date. The 30-day metric improves when this list exists, because the tail stops counting against you.
  • Asset context that's accurate week-of, not quarter-of. "Patch the Apache servers" is a different ticket than "patch the 14 Apache servers, 4 of which face the internet."

Where the 30-day SLA still earns its keep

The SLA isn't dead. It's a useful forcing function for the routine middle of the queue: the medium-severity work that, without a deadline, would never get attention. What it can't do anymore is define the program. The program is now the queue: how items enter, how they're ordered, what exits, and what the unpatched residual looks like at the end of each cycle.

The summary

Two teams can hit the same SLA and run different programs. As patch volume keeps rising, the gap widens and the SLA stops telling you which program you have. The question worth asking next quarter is what your deferral list looks like and who owns it.

Related service

Endpoint Security & Management

Workstation security and management for Windows, macOS, and Linux. We apply security baselines, enforce policies, track patch status, and can manage daily endpoint operations when your team needs more coverage.

Read more

Related field notes.

Compliance

What SOC 2 actually buys you

It's not a security stamp. It's evidence that your operations match your documented practice. Treat it accordingly.

Read more
Trevor Spaniola·Apr 23, 2026·3 min read
All field notes
Security Overview

Security beyond the checkbox.

  • LinkedIn
  • X

Services

  • All Services
  • Managed Detection & Response
  • Collaboration Security & Management
  • Endpoint Security & Management
  • Governance, Risk & Compliance
  • Penetration Testing

Company

  • About
  • Blog
  • Contact
  • Support Portal

Legal

  • Privacy
  • Terms
  • Cookies

© 2026 Security Overview. All rights reserved.