Patched, quietly.
Operating Systems and Applications, kept current as a matter of routine — not a project, not a panic.
Software is only as safe as its most recent patch. Two of the fourteen Vital Metrics inside C.A.R.L. answer the same question, applied to two different surfaces: is every operating system, and every installed application, running a current and trusted build? Both are measured continuously, remediated without drama, and reported on every month inside the C.A.R.L. Health Bar attestation.
Patch Operating Systems
The percentage of managed endpoints and servers running supported, current operating-system builds — with all critical and security updates applied within agreed service windows.
- Scope
- Windows 10 / 11Windows ServermacOSLinux (server)
- What we measure
- Patch level, missing critical updates, end-of-life builds, deferred reboots, agent health.
- Targets
- Critical & high-severity updates applied within 24–48 hours of vendor release. Standard updates within agreed maintenance windows. Zero unsupported builds in production.
- Cadence
- Continuous detection · Wednesday pilot ring · Friday production rollout · monthly Health Bar attestation.
Patch Applications
The percentage of installed third-party applications running current, supported versions across the fleet — covering the long tail of software that lives outside the operating system.
- Scope
- BrowsersOffice & productivityAdobeJava & runtimesLine-of-business apps
- What we measure
- Installed-version drift, known CVEs, unsupported versions, shadow installations discovered on agents.
- Targets
- Critical & high-severity CVEs remediated within 24–48 hours of disclosure. No unsupported browsers or runtimes in production.
- Cadence
- Daily vulnerability scan · Wednesday pilot ring · Friday production rollout · monthly Health Bar attestation.
The C.A.R.L. patch discipline
Four phases · Repeated, every cycleInventory & assess
Lightweight agents enumerate every device, every operating-system build and every installed application — daily. New vulnerabilities are matched against the estate within hours of disclosure.
→Pilot, then promote
Approved patches land in a pilot ring on Wednesday at 6:15pm — internal devices and a small group of opt-in production endpoints. Anything that misbehaves is caught here, never in front of a client.
→Friday, out-of-hours
Production rollout follows the published patch policy: workstations from 6:15pm Friday, servers from 11:00pm Friday. Reboots are negotiated, never imposed; failures roll back automatically.
→Prove it
Installation is confirmed agent-side. Anything still missing is re-attempted, escalated, and counted. Compliance posture is reported in the monthly C.A.R.L. Health Bar attestation, with exceptions named.
The overwhelming majority of breaches we see in the wild exploit a vulnerability the vendor has already patched. The fix exists; it just hasn't been applied. Our job is to apply it — quietly, on a schedule, with proof.
Want to know where your patch posture actually stands?
A C.A.R.L. audit gives you a baseline across all 14 Vital Metrics — including both patching metrics — in a single session. No agents to pre-install, no access to hand over.

