Notifications
Clear all
Topic starter
25/06/2026 10:30 pm
TL;DR: Vulnerability discovery, virtual patching and software remediation are being tied together to reduce the time between finding a flaw and protecting exposed systems, including open source software, commercial applications, OT and healthcare technologies, according to Palo Alto Networks, IBM and Red Hat. The real issue is not faster disclosure, but whether security teams can shrink exposure windows faster than AI-driven discovery expands them.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams respond when vulnerability discovery outpaces patching?
A: They should split the response into containment and repair.
Q: When should organisations use virtual patching instead of waiting for a code fix?
A: Use virtual patching when the exposure window is too short for normal patch cycles and the vulnerable service is externally reachable or business-critical.
Q: What do security teams get wrong about vulnerability management in complex environments?
A: They often treat the software flaw as the whole problem.
Practitioner guidance
- Prioritise exposure windows, not just CVSS scores Rank vulnerabilities by how long they remain exploitable in your environment, then align remediation effort to the systems that can be exploited before patching completes.
- Inventory the identity chain behind vulnerable services Identify the service accounts, API keys, workload identities and deployment credentials attached to each exposed application so containment decisions reflect real blast radius.
- Use virtual patching as a bridge to repair Deploy network-level blocking where patching is delayed, but set an explicit expiry for the compensating control and track it through change management.
What's in the full announcement
Palo Alto Networks' full post covers the operational detail this post intentionally leaves for the source:
- How the virtual patching workflow is intended to sit alongside Project Lightwell remediation steps.
- Which environment types are in scope, including open source software, commercial applications, OT and healthcare technologies.
- How IBM Consulting is positioned to help prioritise, deploy and validate protections across complex estates.
- What secure information-sharing processes the companies say they plan to establish across vendors and security teams.
👉 Read Palo Alto Networks' analysis of Project Lightwell and vulnerability protection →
Vulnerability discovery to protection gaps: what changes for IAM teams?
Explore further
25/06/2026 11:04 pm
Exposure windows are now the control problem, not just patch speed. The article reflects a broader shift in security economics: AI compresses the time between discovery and exploitation, so defenders lose the luxury of slow remediation cycles. That makes the length of the exposure window the key variable practitioners must manage across software, identity and operational control planes.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to NHI Mgmt Group research.
A question worth separating out:
Q: Which controls matter most for reducing exposure across software supply chains?
A: The most effective controls combine accurate inventory, rapid containment, validated remediation and ownership for every critical dependency. Teams should also map which non-human identities and secrets are tied to vulnerable applications, because exploit impact is often driven by what the software can reach, not just by the code defect itself.
👉 Read our full editorial: Project Lightwell narrows vulnerability-to-protection gaps across software
