Patch now, patch later, ignore for now: the triage model real IT teams actually need

Four CISA tickets in your queue at 9 AM. Six hours of actual sysadmin work to get through before end of day. Two VIP escalations already live in the same queue. Your maintenance window is Thursday night. Something has to move today, something can wait, and something can leave the queue entirely without guilt. The question is which is which.

Most vulnerability triage models assume you have a dedicated security team, a vulnerability scanner with a current asset inventory, and time to run a risk-scoring exercise per CVE. Most shops with fewer than a few hundred endpoints have none of those things. What they have is a sysadmin who needs to make a call in the next ten minutes.

Why the existing models don’t fit

CVSS is threat-only. A CVSS 9.8 tells you the vulnerability is severe in a vacuum. It doesn’t know you don’t run the affected product, or that the attack vector requires local access to a server that sits behind two firewalls. CVSS measures the ceiling of the damage. It doesn’t measure whether the ceiling applies to your building.

CISA KEV is binary. The Known Exploited Vulnerabilities catalog tells you one thing: someone, somewhere, has used this in the wild. That’s valuable, but it doesn’t tell you how soon you need to act. A KEV entry for a browser vulnerability hitting consumer endpoints is a different urgency than a KEV entry for an ICS protocol you don’t use.

Scanner-based models assume you bought the scanner. Tenable, Rapid7, Qualys: they all produce prioritized patch lists, and they’re good at it. They also assume you’ve deployed agents, fed the tool your asset inventory, and have someone who reads the dashboard. For a lot of IT teams, that’s not the reality. You’re triaging from an email forward and a morning cup of coffee.

Patch now

Reschedule whatever’s on your calendar. This one moves today.

The criteria are short. A CVE lands in this bucket if any one of these is true:

• Exploited in the wild and on CISA KEV. Someone is actively using this. The timeline is days, not weeks. If you run the affected product and it’s internet-facing, you’re already behind.
• Internet-facing attack surface. The vulnerability hits something reachable from the public internet: your VPN appliance, your web server, your email gateway. Even without a known exploit, the exposure window is too wide to leave open until Thursday.
• User-credential-adjacent. The vulnerability touches authentication, session management, or token handling. Anything that lets an attacker impersonate a legitimate user or escalate from regular user to admin. These move fast once they’re in the wild because credential theft scales.

Patch later

This fits in your normal Thursday maintenance window. It’s not safe to ignore, but it’s not worth blowing up your schedule over.

The criteria:

• High severity, internal-only. A CVSS 8.0+ local privilege escalation on a server that’s only accessible from your internal network. It’s real, but the attacker needs a foothold you haven’t given them yet.
• Pre-auth, but uncommon preconditions. The vulnerability requires a specific configuration, a non-default feature flag, or a protocol your environment doesn’t expose. The attack works in theory. In your environment, the prerequisites aren’t met.
• No public exploit yet. The advisory is out, the CVE is scored, but nobody has published working exploit code. The risk is real but the timeline is longer. Thursday is fine.

Ignore for now

This one leaves the queue. No guilt, no follow-up, no “I’ll circle back to this.” It’s triaged, and the answer is “not today.”

The criteria:

• You don’t run the affected product. Sounds obvious, but a surprising number of CVE tickets sit in queues for products the shop decommissioned two years ago. Check your inventory, confirm it’s gone, close the ticket.
• Preconditions you can prove aren’t met. The vulnerability requires IPv6 to be enabled, and you’ve confirmed it’s disabled fleet-wide. The attack requires a specific kernel module that you don’t load. If you can point to a config or a policy that blocks the attack path, the ticket closes.
• Waiting on a re-release. The vendor shipped a patch, then pulled it because it broke something. You’re not going to deploy a patch that the vendor already admitted is broken. Close the ticket, set a reminder to check back when the re-release lands.

The escalate lane (smaller than people think)

This sits outside the three buckets. It’s not “patch now” because the action might not be a patch. It’s the “wake someone up” tier, and it happens maybe twice a year if you’re unlucky.

Vendor yanked the patch. You already deployed it, and now the vendor is telling you to roll back. That’s not a triage decision; it’s an incident. Figure out if the rollback breaks your users, communicate to stakeholders, and execute.

Active campaign targeting your sector. Not just “exploited in the wild” generically. A threat intel source or CISA alert specifically names your industry (healthcare, financial services, manufacturing) as the current target. The attacker has a playbook, and your sector is in it.

Exploit disclosed in something you know you run. A proof of concept drops on a Saturday for a product in your stack. You’ve confirmed you run the affected version. This is the scenario where Thursday’s maintenance window doesn’t apply. You patch today, or you mitigate today, and you document the decision either way.

The escalate lane is smaller than most people think. The vast majority of CVEs, even critical ones, don’t land here. But when they do, the response is different from just “patch now.” It involves communication, possibly incident response, and always documentation.

Calling this a model is generous

It’s really just what experienced sysadmins already do in their head. The mental math happens every morning: read the ticket, check the product list, decide whether it’s today, Thursday, or never.

Writing it down does two things. First, it makes the decision faster for you. Instead of running through the full calculus each time, you’re pattern-matching against a short checklist. Second, it makes the decision survivable for whoever backfills you. When you take a week off, the person covering your queue doesn’t have your ten years of context. They have the ticket and whatever documentation you left them. This is that documentation.

PatchDay Alert uses this model in every daily digest. Every CVE gets a verdict: patch today, patch this week, or safe to skip. The model is simple because triage should be fast, and fast means fewer variables, not more.