Read time: 6 minutes
Last week, I attended a proposers webinar for ARPA-H's new UPGRADE (Universal Patching and Remediation for Autonomous Defense) program. The initiative represents an admirable attempt to automate vulnerability scanning and remediation in healthcare environments—some of the most vulnerable and critical networks in the corporate landscape. Given IT Agent's focus on automating vulnerability remediation, participation seemed like a natural fit.
What I discovered was both disappointing and predictably familiar.
The program's cornerstone involves building a complete "emulation" of a hospital's entire network—essentially a massive sandbox environment. This virtual network would undergo vulnerability scanning, receive virtual patches, and only after extensive analysis of the simulated patching results would the actual network vulnerabilities be addressed.
Let that sink in: ARPA-H, a government agency whose mission is to make "pivotal investments in breakthrough technology" while specifically avoiding incremental improvements, is investing substantial resources to replicate exactly the same process IT teams have used for decades to manage their patch deployment anxieties.
ARPA-H is building a bigger, better sandbox. This isn't exactly the stuff of science fiction.
Henry Ford probably never said "if I asked people what they wanted, they would have said a faster horse," but the sentiment captures something profound about innovation. It's natural for new technology to accelerate existing processes or make them more efficient. True breakthroughs, however, occur when new technology renders those time-worn processes completely obsolete.
Consider transportation: we traveled from the East Coast to California via stagecoach, then train, then automobile—each an improvement over its predecessor. But air travel changed the entire paradigm. The Pony Express evolved into the modern Postal Service, maintaining the same fundamental process of carrying physical documents from place to place. Only the fax machine, and later email and texting, truly revolutionized long-distance communication.
Uber and Lyft have certainly improved the taxi experience, but perhaps someday teleportation will make our current transportation methods seem quaintly antiquated.
Today's vulnerability management follows the same pattern. Teams create development environments and sandboxes to test whether patches will disrupt their networks—exactly as they've done for three decades. ARPA-H is funding an effort to build a faster horse.
This critique isn't meant to disparage ARPA-H entirely, but rather to illuminate a reality that's handicapping the vulnerability remediation community: we're operating like it's still the early 2000s. We've moved beyond dial-up internet and floppy disks, so why do we approach vulnerability patching with the same methodology we used when half of corporate America relied on Lotus Notes?
Like most legacy behaviors, these practices made complete sense when first developed. Twenty years ago, patches frequently broke systems. A cautious deployment approach wasn't just prudent—it was essential. The international cybercriminal community was a fraction of its current size, making the prioritization of disruption risk over compromise risk sound risk management.
But that was then.
Today's threat landscape is fundamentally different. Cybercriminals are ubiquitous and well-armed with sophisticated tools that require less technical expertise to deploy. Untraceable digital currencies enable easy monetization of successful compromises. Most importantly, patches rarely cause system failures anymore.
Industry estimates suggest patch rollbacks occur in less than 2% of deployments—data that aligns with IT Agent's real-world observations regarding patch disruptions. Over the past two decades, we've witnessed a complete inversion of the risk analysis. Network compromise risk now far outweighs the risk of meaningful patch-induced disruption.
Yet patching timelines remain measured in months or quarters instead of hours or days. There's only one explanation: an irrational fear of network disruption rooted in outdated assumptions.
Changing mindsets founded on decades-old processes is challenging, but the vulnerability management vendor community has made virtually no progress in the past twenty years. Despite new scanners, prioritization engines, automated patching solutions, and AI-driven everything, the industry's fundamental metric—time to patch vulnerabilities—remains stubbornly unchanged.
This stagnation persists while the threat landscape evolves exponentially. Every day that vulnerabilities remain unpatched represents another opportunity for threat actors to exploit weaknesses. The cognitive dissonance is striking: we acknowledge cyber threats as existential business risks while maintaining patch deployment practices designed for a gentler era.
The vulnerability management industry needs more than faster horses. It needs a paradigm shift that acknowledges current realities:
Modern patches are highly reliable. Contemporary development practices, automated testing, and staged deployment methodologies have dramatically reduced patch-related disruptions. The elaborate testing infrastructure that once protected against frequent patch failures now serves primarily to delay necessary security updates.
Threat actors don't wait for sandbox validation. While organizations spend weeks or months validating patches in test environments, attackers actively scan for and exploit known vulnerabilities. The window between vulnerability disclosure and active exploitation continues to shrink.
Risk calculations favor speed over caution. In most environments, the risk of delaying critical security patches far exceeds the risk of deployment-related issues. This reality requires a fundamental shift in how organizations approach vulnerability remediation.
The ethos among IT practitioners must evolve. Organizations need confidence to abandon legacy practices that no longer serve their security interests. This transformation requires more than new tools—it demands new thinking.
IT Agent is building solutions designed to give teams that confidence. Rather than creating faster horses, we're working to make the horse obsolete. The future of vulnerability management lies not in more sophisticated sandbox environments, but in systems intelligent enough to make such environments unnecessary.
The cybersecurity industry has the technical capability to solve these problems. What we lack is the courage to abandon practices that once served us well but now hold us back. True innovation begins when we stop asking for faster horses and start building automobiles.
Healthcare networks—the focus of ARPA-H's program—can't afford month-long patch validation cycles. Neither can financial institutions, utilities, or any organization facing modern cyber threats. The time has come to match our vulnerability management practices to current realities rather than past fears.
The question isn't whether we can build better sandboxes. It's whether we're brave enough to step out of them.
Powerful, self-serve product and growth analytics to help you convert, engage.
Dive into the heart of innovation with our 'Coding Chronicles' blog section. Explore a rich tapestry of articles, tutorials, and insights that unravel.
