The 48-Hour Patching Window
Under the Essential Eight framework, the Australian Cyber Security Centre (ACSC) requires that known vulnerabilities in internet-facing applications be patched within 48 hours of a patch or mitigation becoming available. For vulnerabilities that are not yet publicly known but are being actively exploited (zero-days), the clock is even tighter — patches must be applied within 48 hours of identification regardless of the application.
This timeline is not arbitrary. Research consistently shows that once a vulnerability is publicly disclosed and a patch released, attackers begin scanning for unpatched systems within hours. Automated exploitation tools are frequently available within days. The 48-hour window represents the ACSC’s assessment of the maximum acceptable exposure period before the risk of compromise becomes unacceptably high.
Why Patching Is an Essential Eight Strategy
Patching applications and patching operating systems are two separate strategies within the Essential Eight, reflecting their critical importance. Together, they address one of the most consistently exploited attack vectors: known vulnerabilities in software that the vendor has already fixed but the organisation has not yet updated.
Some of the most damaging cyber incidents in recent Australian history exploited vulnerabilities for which patches had been available for weeks or even months. The reality is harsh: in many of these cases, the breach was entirely preventable. The patch existed. The organisation simply had not applied it in time.
Patching at Each Maturity Level
The Essential Eight defines increasingly rigorous patching requirements at each maturity level.
At Maturity Level One, patches for internet-facing applications with known exploits must be applied within two weeks. An automated method of asset discovery is used at least fortnightly to detect all assets. Applications that are no longer supported by vendors must be removed.
At Maturity Level Two, the patching window tightens significantly. Internet-facing application vulnerabilities with known exploits or rated as critical by the vendor must be patched within 48 hours. All other vulnerabilities must be patched within one month. Vulnerability scanners are used at least weekly to identify missing patches.
At Maturity Level Three, the 48-hour window applies to all applications — not just internet-facing ones. Automated asset discovery runs at least daily, and vulnerability scanners are used at least fortnightly with a comprehensive database of vulnerabilities.
The Real-World Patching Challenge
On paper, patching sounds simple: vendor releases update, you install it. In practice, several factors make it considerably more complex for real businesses.
Testing and Compatibility
Patches can break things. A security update to a critical business application can introduce bugs, break integrations with other systems, or cause performance issues. Businesses with line-of-business applications, custom software, or complex integrations need to test patches before deploying them widely. Balancing the urgency of the 48-hour window against the risk of deploying untested patches requires a mature patch management process.
Asset Visibility
You cannot patch what you cannot see. Many organisations lack a complete inventory of their software assets. Shadow IT — software installed by employees without IT department knowledge — creates blind spots that patching processes miss entirely. The Essential Eight’s requirement for automated asset discovery directly addresses this problem.
Resource Constraints
Microsoft alone releases patches on the second Tuesday of every month (Patch Tuesday), often addressing 50 to 100 vulnerabilities at once. Add in patches from Adobe, Google Chrome, Firefox, Zoom, and every other application in your environment, and the volume of patches requiring assessment and deployment becomes substantial. For businesses without dedicated IT staff, keeping up with this volume is a significant challenge.
Building an Effective Patch Management Process
Meeting the Essential Eight patching requirements requires a structured approach rather than ad-hoc updates.
Maintain a complete software inventory. You need to know every application running in your environment, including version numbers. Automated discovery tools should run at minimum weekly (fortnightly at Maturity Level One) to catch new installations and shadow IT.
Monitor vulnerability disclosures. Subscribe to vendor security bulletins and monitor the ACSC’s alerts and advisories. Automated vulnerability scanning tools can identify which of your systems are missing critical patches.
Classify and prioritise. Not all patches are equal. A critical vulnerability in an internet-facing application requires immediate attention. A low-severity bug in an internal-only tool can be scheduled for the next maintenance window. Your classification process should align with the Essential Eight maturity level you are targeting.
Test before deploying. Maintain a test environment that mirrors your production systems. Critical patches should be tested and deployed within the required timeframe — 48 hours for Maturity Level Two and above. Less critical patches can follow a standard testing cycle.
Related reading: control strategies | application controls | patching strategy
Automate where possible. For standard applications (browsers, productivity tools, operating system components), automated patching through tools like Microsoft Endpoint Configuration Manager, Intune, or third-party patch management platforms can dramatically reduce the manual effort required.
How TechAssist Handles Patching
As part of our managed IT services, TechAssist operates a structured patch management process that includes automated vulnerability scanning across your environment, risk-based prioritisation aligned with Essential Eight requirements, tested deployment within required timeframes, and reporting that demonstrates your patching compliance posture to auditors and insurance providers.
If your business is struggling to keep up with patching requirements, or if you are working toward Essential Eight compliance, contact TechAssist to discuss how managed patch management can close the gap.
