John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The old assumption was that patch cycles run in weeks and that’s usually fine.
That assumption is cracking.
A GNU telnetd buffer-overflow PoC is already circulating in practitioner channels. CISA added another vulnerability to KEV based on active exploitation. Rapid7’s 2026 threat report shows exploited high/critical vulns surged 105% with attack timelines that have collapsed. And teams are still absorbing Microsoft’s March drop of 83 patches.
Different headlines. Same math problem.
Most teams aren’t asleep. They’re overloaded. Patching means coordination across owners, testing windows, uptime constraints, and change controls. When exploit timelines shrink, that process friction becomes direct exposure.
So the question to ask isn’t whether you finished this month’s cycle. It’s how quickly you can close an externally reachable, high-impact risk after a credible exploit signal.
KEV additions and mature public PoCs need a different mode entirely. Define an emergency class: credible exploit signal, meaningful exposure, high-consequence impact. For that class, monthly cadence is too slow. 48 hours should be the standard for exposed critical assets, with named owners and pre-authorized procedures.
Attackers simplified their side. Defenders need to simplify theirs.
The full post covers the governance model for building a fast lane into your vuln program.