C.A.R.L.
Patch Operating Systems & ApplicationsVital Metrics D · E · Pillar 2

Patched, quietly.

Operating Systems and Applications, kept current as a matter of routine — not a project, not a panic.

C.A.R.L. Health Bar™
01Configuration Control
02Continuous Optimisation
03Access & Identity
04Connected Tech
You are here. Patching is the heartbeat of Continuous Optimisation — the lane where small, regular work prevents large, irregular incidents.
In one paragraph

Software is only as safe as its most recent patch. Two of the fourteen Vital Metrics inside C.A.R.L. answer the same question, applied to two different surfaces: is every operating system, and every installed application, running a current and trusted build? Both are measured continuously, remediated without drama, and reported on every month inside the C.A.R.L. Health Bar attestation.

M.06·Vital Metric

Patch Operating Systems

The percentage of managed endpoints and servers running supported, current operating-system builds — with all critical and security updates applied within agreed service windows.

Scope
Windows 10 / 11Windows ServermacOSLinux (server)
What we measure
Patch level, missing critical updates, end-of-life builds, deferred reboots, agent health.
Targets
Critical & high-severity updates applied within 24–48 hours of vendor release. Standard updates within agreed maintenance windows. Zero unsupported builds in production.
Cadence
Continuous detection · Wednesday pilot ring · Friday production rollout · monthly Health Bar attestation.
M.07·Vital Metric

Patch Applications

The percentage of installed third-party applications running current, supported versions across the fleet — covering the long tail of software that lives outside the operating system.

Scope
BrowsersOffice & productivityAdobeJava & runtimesLine-of-business apps
What we measure
Installed-version drift, known CVEs, unsupported versions, shadow installations discovered on agents.
Targets
Critical & high-severity CVEs remediated within 24–48 hours of disclosure. No unsupported browsers or runtimes in production.
Cadence
Daily vulnerability scan · Wednesday pilot ring · Friday production rollout · monthly Health Bar attestation.

The C.A.R.L. patch discipline

Four phases · Repeated, every cycle
01 / DETECT

Inventory & assess

Lightweight agents enumerate every device, every operating-system build and every installed application — daily. New vulnerabilities are matched against the estate within hours of disclosure.

02 / STAGE

Pilot, then promote

Approved patches land in a pilot ring on Wednesday at 6:15pm — internal devices and a small group of opt-in production endpoints. Anything that misbehaves is caught here, never in front of a client.

03 / DEPLOY

Friday, out-of-hours

Production rollout follows the published patch policy: workstations from 6:15pm Friday, servers from 11:00pm Friday. Reboots are negotiated, never imposed; failures roll back automatically.

04 / VERIFY

Prove it

Installation is confirmed agent-side. Anything still missing is re-attempted, escalated, and counted. Compliance posture is reported in the monthly C.A.R.L. Health Bar attestation, with exceptions named.

Why these two metrics, specifically
The overwhelming majority of breaches we see in the wild exploit a vulnerability the vendor has already patched. The fix exists; it just hasn't been applied. Our job is to apply it — quietly, on a schedule, with proof.
24–48hrs
The service-level window inside which critical and high-severity vulnerabilities are remediated across the estate.
2 of 14
Vital Metrics measured by C.A.R.L. — the two that move the needle furthest, fastest.

Want to know where your patch posture actually stands?

A C.A.R.L. audit gives you a baseline across all 14 Vital Metrics — including both patching metrics — in a single session. No agents to pre-install, no access to hand over.