█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Vulnerability Management/Patch Management
35 minBeginner

Patch Management

After this lesson, you will be able to: Describe the patch management lifecycle and the tradeoffs between automated and manual patching.

Patching looks easy ('just install the update') and is in fact one of the hardest operational disciplines in IT. This lesson covers the full patch lifecycle and the real-world tradeoffs that lead organizations to skip patches.

Prerequisites:CVEs, CVSS, and Prioritization

The patch lifecycle

Discovery (vendor releases a patch + CVE), Triage (does this affect us? what's the risk?), Test (deploy to a non-prod environment first), Deploy (push to production in waves), Verify (rescan, confirm patch is installed and effective), Document (close the ticket, update inventory).

Why patching is hard

Patches break compatibility, old plugins, custom integrations, internal tools fail. Reboots cost money and customer trust on production systems. Vendor end-of-life, some software simply has no more patches. Prerequisite chains, patch B requires patch A, which requires a kernel rebuild, which requires a maintenance window. These are the reasons real environments lag months behind 'available' patches.

💡 Automated patching, when to use it

Automate where breakage is cheap (developer laptops, dev/test servers, identical fleet machines). Manual + tested patching for production critical systems. Almost everyone gets this wrong by being too cautious, most environments under-patch user endpoints when they could safely auto-patch them.

Compensating controls

When you can't patch immediately: virtual patching at the WAF (block exploit attempts before they reach the vulnerable code), network segmentation (isolate the vulnerable host), configuration changes (disable the vulnerable feature), monitoring (detect exploit attempts and respond). These are not as good as patching but buy time when patching isn't possible.

Quick Check

An internet-facing app has a critical CVE but the patch breaks integrations. Best move?

Choose the response.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←CVEs, CVSS, and Prioritization
Back to Vulnerability Management
Vulnerability Assessment vs Penetration Testing→