Managed patch management on Tenable

Continuous Patch Management

Unpatched software is how most organisations get breached. The fixes existed; nobody applied them in time. Cyber Essentials gives you 14 days to patch a critical vulnerability. We make that deadline routine. Continuous, automated patching across your operating systems and your third-party applications, tested before it lands and rolled back if it misbehaves. Delivered on Tenable, by a Certification Body that has known these rules since 2014.

Get patching under control
  • Keeps you inside the Cyber Essentials 14-day critical-patch rule.
  • Operating systems and 20,000+ third-party applications, not just Windows.
  • Tested before deployment. Rolled back if needed. Evidenced after.
  • Prioritised by real exploitability, closing the loop with vulnerability management.
  • An IASME Certification Body since 2014. We know what the assessment expects.
The deadline

The deadline you cannot miss

Cyber Essentials is specific. Miss the patch window, and you fail certification.

High-risk and critical updates must be applied within 14 days of release, where the vendor calls the vulnerability "critical" or "high risk", or it carries a CVSS v3 base score of 7 or above. Miss it, and you fail certification.

The NCSC goes further for the riskiest cases. Its best-practice guidance is to update internet-facing services within 5 days, operating systems and applications within 7, and to apply fixes for actively exploited internet-facing vulnerabilities within 24 hours. Its policy in one line: "update by default, automatically". Doing that by hand, across every device and every application, every month, is where most teams fall behind. We automate it.

Cyber Essentials requires high-risk or critical security updates to be applied within 14 days of release, for vulnerabilities the vendor rates "critical" or "high risk" or with a CVSS v3 score of 7 or above. Unsupported software must be removed.

The work

What we do

Your policy, mirrored and automated across the whole estate, tested and evidenced.

Map your patch policy

  1. Mirror your policy

    We turn your patching rules into automated policy: what gets patched, when, in which order, and within which window.

  2. Patch the whole estate

    Windows, including drivers and BIOS, macOS, Linux, and over 20,000 third-party applications. The apps attackers actually target, not just the operating system.

  3. Prioritise by exploitability

    Patching is correlated to your vulnerability findings, so the most exploitable, highest-priority fixes go first, with SLAs by criticality.

  4. Test before you deploy

    Automated pre-deployment testing and approval gates, so an update does not break production.

  5. Roll back in real time

    Schedule, pause or roll back a deployment if something misbehaves. Patching should not be the thing that takes you down.

  6. Prove it

    Validation that fixes actually applied, plus compliance reporting that shows you inside the 14-day rule, ready for assessment.

Your partner

Why manage it with Layer 7

We tie patching to the rule that matters

Most providers treat patching as IT housekeeping. We treat it as the control that keeps your Cyber Essentials, and your security, intact.

We patch what attackers target

Operating systems and 20,000+ third-party apps. The gap in most "managed IT" patching is everything that is not Windows. We close it.

We test and roll back

Automated testing and real-time rollback mean fewer broken mornings.

We evidence it

Audit-ready compliance reporting from a firm whose day job, since 2014, is certifying that controls are real.

North East based

A North East firm that keeps you patched

We are based in Northumberland and work with organisations across Newcastle, Durham, Sunderland and the wider North East, the same ground as the region's largest managed-IT providers. We deliver managed patching UK-wide. The difference: we treat patching as the security control it is, not as background IT.

The process

How it works

Four steps, fixed price, clear deliverables. Continuous from the first window on.

Book a scoping call

  1. Scope and policy

    We map your estate and turn your patching requirements into automated policy and SLAs. Fixed price, clear deliverables.

  2. Deploy

    Tested, approval-gated patching across OS and third-party applications, in your maintenance windows.

  3. Report

    Compliance reporting that shows you inside the 14-day rule, with validation that fixes applied.

  4. Maintain

    Continuous patching as new updates and new vulnerabilities appear, prioritised by exploitability.

Across the lifecycle

Beyond patch management

Patching is one part of the Manage pillar. It closes the loop with Continuous Vulnerability Management, which finds what needs fixing, and Attack Surface Management, which finds the exposed assets you did not know about. Cyber Essentials sets the baseline; penetration testing proves it. One firm, across the lifecycle.

Find what to fix Continuous Vulnerability Management See vulnerability management → Find the unknowns Attack Surface Management See attack surface management → The baseline Cyber Essentials and Cyber Essentials Plus See Cyber Essentials →
Questions

Patch management FAQs

What is patch management as a service?

It is a managed service that keeps your software up to date for you: identifying needed updates, testing them, deploying them automatically within agreed windows, and reporting on compliance. It removes the manual burden of staying patched across every device and application.

What are the Cyber Essentials patching requirements?

Cyber Essentials requires high-risk or critical updates to be applied within 14 days of release, for vulnerabilities the vendor rates "critical" or "high risk" or with a CVSS v3 base score of 7 or above. Unsupported software must be removed or fully isolated from the internet.

How often should you patch?

Continuously, and faster for higher risk. Cyber Essentials sets 14 days for critical and high-risk fixes. NCSC best practice is tighter: 5 days for internet-facing services, 7 for operating systems and applications, and within 24 hours for actively exploited internet-facing vulnerabilities.

What is the difference between patch management and vulnerability management?

Vulnerability management finds and prioritises weaknesses. Patch management fixes them by deploying the updates. They are two halves of the same loop: we run both, so findings turn into fixes rather than a growing backlog.

Will patching cause downtime?

We minimise that risk. Updates are tested before deployment, applied in agreed maintenance windows, and can be paused or rolled back in real time if a problem appears. The goal is to stay patched without breaking production.

Does it cover third-party applications, not just Windows?

Yes. We patch Windows, including drivers and BIOS, macOS and Linux, plus over 20,000 third-party applications. Third-party apps are a common blind spot in basic managed-IT patching, and a frequent attacker route.

Can a managed patch service help us pass Cyber Essentials Plus?

Yes. Keeping inside the 14-day rule and removing unsupported software are exactly what the assessment checks. We keep you compliant and provide the evidence, and as a Certification Body since 2014 we know what the assessor looks for.

Make the 14-day deadline routine

Continuous, automated, tested patching across your whole estate, evidenced for Cyber Essentials. On Tenable, from a Certification Body since 2014.

Get patching under control Talk to a specialist