Why the 14-Day Patching Window Is No Longer Enough, And What UK Businesses Should Do Instead

Posted byMichael WierciochPosted inApple Fleet Management, Patching, Security and ComplianceTags:, , , , , , , , , ,
Patching

Why the 14-Day Patching Window Is No Longer Enough, And What UK Businesses Should Do Instead

Whoever wrote the Cyber Essentials 14-day patching requirement wrote it for a different threat landscape. In 2018 it made sense. The average time between a vulnerability being disclosed and attackers actively exploiting it was 756 days. Businesses had over two years to patch before most threats materialised. A 14-day window was conservative, achievable and genuinely protective.

That world no longer exists.

The average time from CVE disclosure to a working exploit has collapsed from 56 days in 2024 to roughly 10 hours in 2026. The 14-day patching window, the standard that Cyber Essentials enforces and that most UK businesses are working toward, now leaves a gap of approximately 13 days, 23 hours and 50 minutes during which attackers with a working exploit can reach unpatched systems.

This is not an argument against Cyber Essentials. Meeting the minimum standard no longer guarantees protection. The certification is still worth pursuing. The 14-day window is still worth meeting. But treating it as sufficient is the security equivalent of locking your front door and leaving the back window open.

The numbers that make the case

The data on exploitation timelines is stark and consistent across multiple independent sources.

In 2018 the median time from vulnerability disclosure to first observed exploit was 771 days. In 2021 that window had compressed to 84 days. By 2023 it was six days. By 2024 it was four hours.

Mandiant’s M-Trends 2026 report puts the mean time to exploit at negative seven days, attackers routinely compromise systems before vendors release a patch at all.
Read that again. The average exploit now happens before the patch exists. A 14-day patching window assumes a patch is available when you start the clock. In 2026 attackers are frequently through the door before the patch exists, let alone before you have deployed it.

In 2025, attackers exploited 28.96% of known vulnerabilities on or before the day their CVE appeared, up from 23.6% the previous year. By 2026, zero-days account for 67.2% of all exploited CVEs, up from 16.1% in 2018. When attackers weaponise two-thirds of exploited vulnerabilities before any patch exists, reactive security has already lost.

There is also a structural problem with the CVE publication process itself. The National Vulnerability Database faces delays averaging 23 days between exploit publication and CVE assignment. This gap allows attackers to exploit vulnerabilities before defenders can even begin patching.

The implication is uncomfortable but clear: by the time a vulnerability appears in your patch management queue with a CVE number attached, attackers may have been exploiting it for three weeks.

What the 14-day window was designed to prevent

The 14-day patching requirement targets a specific and genuine problem — businesses running known vulnerabilities for months or years because patching was manual, inconvenient or simply forgotten. Zero-day exploitation was never what it set out to prevent.

That problem is real and the 14-day rule addresses it. Patching within 14 days of a release puts a business in a significantly stronger position than one running monthly or quarterly patch cycles.The requirement has raised the baseline meaningfully across UK businesses.

The issue is not that the 14-day rule is wrong. The real problem is that businesses increasingly mistake a Cyber Essentials pass for comprehensive protection. For the most dangerous category of vulnerabilities, those actively exploited in the wild, 14 days is not a protection window. It is a breach window. It is a breach window.

The AI acceleration problem

The collapse of exploitation timelines is not accidental. AI-assisted tooling is generating working exploits in minutes. Automated scanners are firing on freshly disclosed vulnerabilities within the same business day they appear publicly. The pattern is consistent -> disclose -> scan -> exploit, compressed to hours.

Traditional Patch Tuesday monthly cycles, once considered industry best practice, are now dangerously obsolete. When attackers exploit vulnerabilities in hours or days, organisations patching on monthly schedules are fighting with one hand tied behind their backs.

For UK businesses this is not a theoretical concern. The same AI tools that accelerate legitimate development are available to attackers. A critical macOS vulnerability published on a Monday morning can have automated exploitation scripts circulating in underground forums by Monday afternoon. By the time your IT team processes the alert on Tuesday and schedules patching for the following week, the window has long since closed.

In 2025 the public CVE program published 48,185 new vulnerabilities, a 20.6% jump on top of the record 38% surge in 2024. The CISA Known Exploited Vulnerabilities catalogue grew 20% to 1,484 entries. The volume of vulnerabilities is increasing at the same time as the exploitation window is collapsing. The combination is the security challenge of 2026.

What good patching actually looks like in 2026

Meeting the 14-day Cyber Essentials requirement should be treated as the floor, not the ceiling. Here is what a genuinely protective patching posture looks like in practice.

Automated patching for the majority

The most effective single change any UK business can make to its patching posture is removing humans from the routine patching loop entirely. Routine patches operating system updates, browser updates, productivity app updates, should deploy automatically without requiring IT to approve, schedule or manually push each update.

For Mac fleets, JAMF MDMs should handle this natively. macOS updates, iOS and iPadOS updates and third-party applications covered by the good App Catalog all update automatically based on policies you define. You set the deadline, 24 hours for critical patches, 72 hours for high severity, seven days for medium and the MDM enforces it across every device without human intervention.

For Windows devices, Microsoft Intune combined with Windows Update for Business handles OS patching automatically. For third-party application patching on Windows such as Chrome, Adobe, Zoom and hundreds of others, Patch My PC integrates directly with Intune and automates the update cycle for over 1,500 applications without manual packaging.

Automated patching does not mean uncontrolled patching. You define the rings, which devices update first, what testing happens, what the rollout timeline looks like. What it removes is the dependency on a human remembering to act within a specific window.

Risk-based triage for critical vulnerabilities

Not all vulnerabilities are equal and treating them identically is how you end up with overwhelmed IT teams and missed critical patches. A structured risk-based approach prioritises based on actual exploitation risk rather than theoretical severity scores.

CVSS scores measure theoretical severity, how bad could this vulnerability be in a worst-case scenario. They do not measure whether anyone is actually exploiting it right now. A CVSS 9.8 vulnerability that no attacker is targeting is less urgent than a CVSS 7.2 vulnerability with confirmed active exploitation.

The practical framework for risk-based patching:

Any vulnerability on the CISA Known Exploited Vulnerabilities catalogue – patch within 24 to 48 hours. These are vulnerabilities with confirmed active exploitation in the wild. The standard 14-day window is irrelevant. These need to be treated as emergencies.

Critical CVEs with proof of concept exploit code publicly available – patch within 48 to 72 hours. The existence of public exploit code dramatically increases the likelihood of widespread exploitation. Do not wait for the 14-day window.

High severity CVEs without confirmed exploitation – patch within seven days. Faster than the Cyber Essentials requirement but still manageable for most IT teams with automated patching in place.

Medium and low severity CVEs – patch within 14 days as the Cyber Essentials requirement specifies. The standard window is appropriate for vulnerabilities without active exploitation.

This tiered approach does not conflict with Cyber Essentials. It exceeds it for the vulnerabilities that actually matter while maintaining the standard requirement for lower-risk patches.

Monitoring for active exploitation – not just CVE feeds

The 14-day clock starts when a CVE is published. But as the data above shows, exploitation frequently begins before the CVE exists. Monitoring only CVE feeds means you are watching the wrong signal.

More useful signals for UK businesses:

1. The CISA Known Exploited Vulnerabilities catalogue – updated continuously with vulnerabilities confirmed to be actively exploited. Subscribe to alerts and treat every addition as a priority patch event.

2. Vendor security advisories – Apple, Microsoft, Google and major software vendors publish emergency out-of-band security updates for actively exploited vulnerabilities. These frequently arrive before a CVE number is assigned. Subscribe to security advisories for every major software vendor in your environment.

3. Threat intelligence feeds – for businesses in regulated sectors, subscribing to a threat intelligence service that provides early warning of active exploitation against specific software is increasingly worth the investment.

The Apple fleet patching picture

For businesses running Mac, iPhone and iPad fleets specifically, the patching challenge has some Apple-specific dimensions worth understanding.

Apple releases security updates for macOS, iOS and iPadOS regularly. Recent individual cases show the pattern clearly – CVE-2025-10585 affecting Chrome V8 was actively exploited within 24 hours of disclosure. CVE-2026-35616 in Fortinet FortiClient was weaponised almost immediately after disclosure. Apple-specific vulnerabilities follow the same compressed timeline.

Without MDM, enforcing patching deadlines across an Apple fleet is a manual process that depends on individual employees applying updates when prompted. Staff routinely defer update notifications, “I’ll do it later” and “later” frequently becomes “never until the next Genius Bar visit.” On an unmanaged fleet of 30 Macs there is no reliable way to know which devices are current and which are running a three-month-old operating system with known exploited vulnerabilities.

With an MDM, OS update enforcement works as follows: you define a deadline, MDM sends progressive notifications as the deadline approaches and on the deadline date the update applies whether the employee has actioned it or not. MDM compliance reporting confirms which devices are current and flags any that are non-compliant in real time. For a business with Cyber Essentials obligations, or simply a business that takes security seriously, this is the difference between knowing your fleet is patched and hoping it is.

For iPhone and iPad in scope for Cyber Essentials, the same MDM-enforced patching applies. Devices enrolled in Jamf Pro can be required to run a minimum iOS or iPadOS version with enforcement deadlines that match your patching policy.

The honest conversation about Cyber Essentials

Cyber Essentials is worth doing. The five controls it requires are genuinely protective and the certification demonstrates to clients, insurers and regulators that your basic security posture meets a recognised standard. The patching requirement specifically has driven meaningful improvement in how UK businesses manage updates.

The concern is not with the certification. The concern is with how it is often communicated and received.

When a business achieves Cyber Essentials certification it frequently communicates this to clients and leadership as “we are secure.” What it actually means is “we meet the minimum technical baseline that was designed to address the most common cyber attacks.” Those are meaningfully different statements and conflating them creates a false sense of protection that sophisticated attackers actively exploit.

A business that patches within 14 days, enforces MFA on cloud services, runs endpoint protection and has a properly configured firewall is in a much better position than one without any of those controls. The same business thinking that Cyber Essentials certification represents comprehensive protection is in a worse position than one that treats it as the starting point for a broader security programme.

The 14-day patching window is the most concrete example of this gap. It was protective in 2018. In 2026 it is the minimum acceptable standard, not the target.

What to implement and in what order

If you currently patch within the Cyber Essentials 14-day window and want to genuinely improve your patching posture, here is the practical sequence:

1. Automate routine patching first. Remove humans from the loop for OS updates and standard application updates. Jamf Pro for Mac, Intune combined with Patch My PC for Windows.

2. Subscribe to CISA KEV alerts. Free, authoritative and updated continuously with confirmed active exploitation. Set up email alerts so critical additions trigger immediate action rather than waiting for the next scheduled patch review.

3. Subscribe to Apple and Microsoft security advisories. Both vendors publish out-of-band emergency security updates for actively exploited vulnerabilities. These updates should be applied immediately, not at the next scheduled maintenance window.

4. Implement a risk-based triage process. Not every patch is an emergency. Having a defined process for categorising and prioritising patches means critical vulnerabilities get same-day attention without creating alert fatigue that causes important patches to be missed.

5. Review your Cyber Essentials posture through this lens. If you are currently meeting the 14-day requirement manually, someone reviews a list, schedules patching, confirms completion. you are meeting the minimum. Automating that process and adding the risk-based triage layer above it moves you from minimum compliance to genuine protection.

The bottom line

Fourteen days was a reasonable patching window when the average exploit took two years to develop. It is not a reasonable patching window when the average exploit takes 10 hours.

Meeting the Cyber Essentials patching requirement is worth doing, not because 14 days is sufficient but because it establishes the discipline of regular patching and forces businesses to have tooling in place that can be tightened. A business with automated patching meeting a 14-day deadline can tighten that to 48 hours for critical CVEs with a configuration change. A business patching manually on a monthly cycle cannot.

The goal for 2026 is not to meet the 14-day Cyber Essentials requirement. The goal is to treat the 14-day requirement as your worst-case fallback for low-risk patches and to have a faster, automated, risk-based process for everything that matters.

We work with UK businesses running Apple and mixed fleets to implement exactly this, automated patching through MDMs, risk-based triage processes and the ongoing management that keeps the patching posture current as the threat landscape continues to accelerate.

Read our Cyber Essentials checklist to understand the full compliance picture, or our Jamf Pro vs Microsoft Intune comparison to understand which patching automation tooling is right for your fleet.

Book a free consultation with our team to review your current patching posture and find out where the gaps are before an attacker does.