A telco's 25,000-endpoint estate (workstations and servers, OS and third-party) automated within two patch cycles. The accumulated backlog cleared in months, the ongoing cadence inside Cyber Essentials Plus.
Workstations and servers, OS and third-party.
Vulnerabilities accumulated under manual patching, resolved in the first two months.
Software deployed, agent rolled out, automation live.
High and critical patches, sustained across the estate.
A telecommunications operator running 25,000 endpoints (workstations and Windows servers, much of it carrying production traffic) without automated patching coverage across the estate. Cyber Essentials Plus on the roadmap. The constraint was familiar: get inside the 14-day window for high and critical patches, but don't break anything in production while you do it.
The brief was pragmatic. Deploy the platform, roll out the agent, get to automated cycles, and prove operational reliability before the auditors arrived. Manual patch programmes weren't going to clear the backlog or hold the cadence.
"The backlog was old. Once cycles started running, it cleared."
Within two patch cycles, the Tanium platform was deployed, the agent was rolled out across the estate, and automated patching was running. No production incidents from the rollout. Automation covers OS and third-party patches on the same cadence; the agent footprint is light enough to live alongside production telephony workloads without contention.
Patching had been a manual exercise for years. The accumulated backlog ran to over 500,000 vulnerabilities, most of them aged: present because the systems carrying them had never been patched in the first place, not because remediation was failing. Once automated cycles started running, that backlog cleared across the first two months of operation.
This is a one-off curve. The shape of patch debt at the start of an engagement looks alarming; the shape after the first few cycles is the truer signal. From there, the question stops being "how big is the backlog" and starts being "how fast does new exposure get closed".
Workstations patch on a weekly automated cycle. Windows servers run on a phased schedule designed around production: development and test patched midweek immediately after Patch Tuesday, then production split across the next two weekends. The full sequence (Patch Tuesday to the last production server) fits inside the Cyber Essentials Plus 14-day window for high and critical vulnerabilities going forward.
The schedule is the whole trick. Phased weekends let production absorb patching one half-estate at a time, and the dev/test pass surfaces compatibility issues before any prod system sees the same payload.
Reporting was scoped to who was reading it. The group CISO sees the whole estate. Their direct reports see the pillars they're accountable for. The vulnerability management team sees actionable remediation queues. Application owners see only their own assets: the systems they actually manage and can act on.
Every tier reads the same source of truth. Board-level reporting rolls up from the same data. No separate spreadsheet, no quarterly reconciliation.
End-of-life operating systems and software identified and escalated to the relevant owners. Non-business software categorised; much of it blocked and uninstalled at scale, including the kind of unlicensed remote-management tools that have no business being on a corporate estate. CIS benchmark conformance tracked across the fleet, with the gaps reported up.
None of this was the headline brief. It's what a properly instrumented estate makes visible. Once visible, the conversation about what to do with it can actually happen.
"The backlog wasn't a remediation failure. It was a coverage failure. Once we had coverage, two months took most of it away. From there, the 14-day window holds because the cadence holds."