Organisations struggle to prioritize vulnerability patching in a way that is appropriate, leading to situations where all is a crisis and nobody benefits, according to a new report
. Ivanti’s report on vulnerability patch management reveals that those in charge of roll-out and vulnerability patch management are struggling to prioritise updates. They tend to describe “everything” (or everything) as a priority. This is a method described as unsustainable.
According to its The 2025 Risk-based Patch Prioritisation Reportwas released this week. Ivanti expressed concern about the lack of industry standards for rating vulnerabilities and patches. Users are left to compare updates and prioritize them based on isolated suggestions.
In order to determine patch priority, consider factors such as the impact of a vulnerability on critical systems, whether it has been actively exploited, detected by a vulnerability scan, its CVSS or vendor severity score and whether it is necessary to patch it for compliance purposes such as inclusion in The CISA KEV database () or whether it has been identified by management as a priority, a majority said they rated each of these as having a high to moderate impact on their urgent.
The report’s authors wrote, “But when everything is on the table, nothing is important.” In light of these statistics, it is no surprise that 39% cyber pros struggle to prioritize risk remediation and patch implementation, and 35% struggle to maintain compliance.
Chris Goettl is vice-president for product management at Ivanti and he said that the majority of vulnerabilities that he sees being actively targeted are not those that security teams prioritize.
By properly configuring systems all continuous updates can be assigned to one of these track and handled as part continuous patch management processes rather than once a monthly,” he said.
Silos and data gaps
Security experts also reported that they lacked enough data to make informed decisions on what to patch. The most common gaps were in areas like shadow IT, contextual gaps regarding what vulnerabilities are exposing systems, and blindspots related to patch configuration, compliance status, or meeting patch service-level agreements. Daren Goeson is the senior vice-president for product management at Ivanti, a company that offers secure unified endpoint monitoring (UEM). He said, “If organisations want to really elevate their remediation effort, they’ll need some important contextual information to do so.”
The first is visibility of the attack surface. The second is context of vulnerabilities in the organisation’s attacks surface. Third is thread intelligence that determines how risk is evolving. And fourth is a compliance view which focuses on real risk within an organisation. Ivanti stated that there is often a push/pull dynamic at play, where security teams claim they need to respond quickly but IT teams insist on stability. The two are at odds with each other.
The report also said that the “everything’s urgent” mentality creates more problems because it forces IT teams to push out updates without properly testing, while the interplay of silos and misaligned priority leads to miscommunications and unclear ownership duties, introducing even more risk.
Is AI the key?
Ivanti suggests that artificial intelligence (AI), automation, and advances in AI are the key. The report suggested that AI solutionscould be the key to solving the problems highlighted in the report. However, it also noted the fact that many organisations cited barriers such as cost and lack of skills for not being able to take advantage of these capabilities.
According to the report, AI solutions can help organisations improve their patch management strategies in two ways: by automating patch testing workflows and automating fast analysis of vulnerabilities using factors such as threat and risk context.
If you’re using a system that prioritizes based on risk, AI can gather massive amounts of data from different sources and tools. It will then analyze the information and use predictive modeling to make scoring based on risk as efficient as possible, said Goettl.
After identifying your risk appetite, you can configure automation to continuously monitor any updates that are needed in alignment with your prioritisation of risk.
According to Alex Scroxton.
According to Alex Scroxton.
Ivanti vulnerability explained: everything you need.
According to Alex S
