Patch Tuesday Triage β 4 hours vs 4 days
May 12, 2026 β 6 min read β Pedro Jose
Patch Tuesday drops 50β150 CVEs. Your team has 4 hours of real attention span.
Most security teams do one of two things:
- Panic-patch everything β break production, burn out engineers
- Patch nothing β get pwned by something that had a public exploit on day zero
There’s a third way. It’s called exploit-based triage.
β‘ THE TRUTH
Not all CVEs are created equal. 80% are noise. 15% matter in specific environments. 5% will get you pwned if you don’t patch them today.
Your job isn’t to patch everything. It’s to find the 5%.
Not all CVEs are created equal. 80% are noise. 15% matter in specific environments. 5% will get you pwned if you don’t patch them today.
Your job isn’t to patch everything. It’s to find the 5%.
The 4βHour List (Patch Now)
These get patched within 4 hours. No exceptions.
π΄ Public Exploit Available
< 4 HOURS
Metasploit module. PoC on GitHub. Exploit-DB entry. Someone already weaponized it.
π Internet-Facing & Critical
< 4 HOURS
VPN, web server, email gateway, public API. CVSS β₯ 9.0. Attacker can reach it without credentials.
βοΈ Active Exploitation (CISA KEV)
< 4 HOURS
On CISA Known Exploited Vulnerabilities catalog. Attackers are using it right now.
β οΈ Pro tip: Bookmark cisa.gov/known-exploited-vulnerabilities-catalog. If it’s on this list and you have it exposed, stop reading and patch.
The 4βDay List (Schedule a Window)
These get patched within 4 days. Important, but not burning down right now.
π¦ Internal-Only, Critical Severity
4 DAYS
CVSS 8β9. No public exploit. Internal systems only. Attacker would need a foothold first.
π Privilege Escalation (Local)
4 DAYS
Attacker already needs low-priv access. Worth patching, but not breaking your weekend.
π Internet-Facing, High Severity
4 DAYS
CVSS 7β8. No exploit available. Monitor, schedule, don’t panic.
The Defer List (Patch Eventually)
These can wait for the monthly patch cycle. Or never. Most teams over-patch these.
- Local DoS (CVSS 5β6) β annoying but not lethal
- Information disclosure (low impact) β unless it’s customer data
- CVSS 4 and below β unless chained with something else
- Vulnerabilities in components you don’t actually use
π§ But Pedro, what about defense in depth?
Defense in depth doesn’t mean patch everything. It means mitigating what you can’t patch.
If you can’t patch the 4βday list in 4 days, put a WAF rule on it. Restrict access. Monitor logs. That’s defense.
Defense in depth doesn’t mean patch everything. It means mitigating what you can’t patch.
If you can’t patch the 4βday list in 4 days, put a WAF rule on it. Restrict access. Monitor logs. That’s defense.
The Decision Flowchart (Cheat Sheet)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PATCH TUESDAY TRIAGE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β CVE arrives β
β β β
β βΌ β
β [1] Public exploit? ββββββββββYESβββ π΄ PATCH IN 4 HOURS β
β β β
β NO β
β βΌ β
β [2] On CISA KEV? βββββββββββββYESβββ π΄ PATCH IN 4 HOURS β
β β β
β NO β
β βΌ β
β [3] Internet-facing + CVSS β₯9? ββYESβββ π΄ PATCH IN 4 HOURS β
β β β
β NO β
β βΌ β
β [4] CVSS β₯8 + internal? ββββββββYESβββ π‘ PATCH IN 4 DAYS β
β β β
β NO β
β βΌ β
β [5] CVSS 5β7? βββββββββββββββββYESβββ π’ DEFER (monthly) β
β β β
β NO β
β βΌ β
β [6] CVSS β€4 ββββββββββββββββββββββββββ π’ PROBABLY IGNORE β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Tools to Make This Actually Work
You can’t triage manually. Use these:
| Source | What It Gives You | URL |
|---|---|---|
| CISA KEV | Actively exploited CVEs | cisa.gov/known-exploited-vulnerabilities-catalog |
| EPSS | Probability of exploitation (0β1) | first.org/epss |
| Exploit-DB | Public exploit code | exploit-db.com |
| Twitter/X | Real-time chatter (follow researchers) | @s4dbrd, @SwiftOnSecurity, @GossiTheDog |
| NVD | CVSS scores + references | nvd.nist.gov |
What About Zero-Days?
Same rules apply β but faster.
- Public PoC drops at 2pm? Patch window starts at 2pm.
- No exploit? No active targeting? You have time to test.
- Log4j-style chaos? That’s not triage. That’s incident response. Different playbook.
π The Bottom Line
Your team can’t patch 100 CVEs in a week. Stop trying.
Find the 5% with public exploits or active targeting. Patch those.
The rest can wait. Your production stability will thank you.
And when you’re wrong? That’s what incident response is for.
Your team can’t patch 100 CVEs in a week. Stop trying.
Find the 5% with public exploits or active targeting. Patch those.
The rest can wait. Your production stability will thank you.
And when you’re wrong? That’s what incident response is for.
One More Thing
Triage tells you what to patch. It doesn’t tell you how to patch without breaking things.
That’s a separate problem. But if you’re still reading? You’re already ahead of the teams panic-patching Adobe Reader into production at 4pm on Tuesday.
π¦π
Need someone to break your stuff before Patch Tuesday ruins it?
Website pentest: $299. AI agent pentest: $750. Full manual audit: $799.
π© DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your security backlog.
Leave a Reply