Patching Cadence Risk Vector: Core Overview Ingrid A new version of the Patching Cadence risk vector has been renamed to Critical Vulnerabilities Management. Learn more here.The Patching Cadence risk vector in the Diligence risk category. It evaluates the average duration that publicly disclosed software vulnerabilities remain unpatched within an organization's infrastructure. Risk Category: Diligence Default Grade: A Current Rating Impact: 20% Finding Lifetime: 90 Days (The duration a finding impacts your grade if no changes occur). Scan Cadence: Automated every 30 days; Daily automated scans for EASM Enhanced customers. Eligible for Dynamic Remediation? No. Vulnerabilities can expose organizations to malicious attacks. Reacting quickly to vulnerabilities is critical for reducing cyber risk. A Bitsight study demonstrated that organizations with a poor Patching Cadence grade experience a nearly sevenfold increase in the likelihood of a ransomware event. Furthermore, a Marsh McLennan study identified Patching Cadence as the top indicator for predicting the risk of experiencing a cybersecurity incident. Best Practices for Remediating FindingsTo maximize your score and strengthen your security posture: Prioritize High CVSS Scores: Focus your remediation efforts on the most severe vulnerabilities first. Target Long-Running Findings: Reduce your average time-to-remediate by addressing vulnerabilities that have existed in your network the longest. Automate Updates: Ensure your operating systems and supporting libraries are kept up-to-date, and implement automatic updates for critical systems. Monitor Vendors: Understand how quickly your critical vendors patch their vulnerabilities, as weak links in your supply chain can expose you to significant risk. Consistency Matters: Because BitSight looks at a weighted average over time, one or two "outlier" vulnerabilities left unpatched for months can drag down the average, even if most other items are fixed quickly. How is my grade calculated?To calculate your Patching Cadence grade, Bitsight measures how quickly you remediate vulnerabilities relative to their severity.How it Works Your grade is based on your weighted average time-to-remediate, not the total number of vulnerabilities or assets you have. High-severity vulnerabilities (Material or Severe) impact your grade more significantly than Minor ones if left unpatched. Patching Cadence accounts for 20% of the Diligence category.Since the Diligence risk category represents 70.5% of your overall BitSight rating, maintaining a fast patching cycle is one of the most effective ways to improve or stabilize your score. In summary: To maintain a high grade, focus on patching critical vulnerabilities as fast as possible.Learn more about Patching Cadence calculations here.What does my grade mean? A grade indicates your organization is performing better than most of your peers on vulnerability remediation speed. Grades are derived from observed remediation behavior (e.g., time to patch, consistency of patching) across the organization’s internet-facing footprint. How long does a finding affect my grade? Impact is calculated from the day a vulnerability is First Seen until it is Last Seen. A finding is marked "fixed" once a patch is detected or the asset is unreachable for 60 days. After remediation, a finding stays on your record for 90 days. Its impact is highest on day one and fades to zero over the three-month period. If the same vulnerability reappears within 180 days, the original duration is extended rather than starting fresh. In summary: Patching quickly limits the initial damage, while staying clean for 90 days fully clears the impact from your score.Where can I view my Patching Cadence Grades and Findings?You can view Patching Cadence findings on the Findings Table or Rating Details.Findings Table Navigation Options: SPM App: Findings ➔ Findings Table CM App: Companies List ➔ Vendor Risk ➔ Findings Insurance: Companies List ➔ Client Risk ➔ Findings API: GET /v1/companies/entity_guid/findings?risk_vector=patching_cadence Ratings Details Page Navigation Options: SPM App: Organization ➔ Ratings Details CM App: Vendor Risk ➔ Ratings Details Insurance: Client Risk ➔ Rating Details The Rating Details page includes a graph that shows the number of vulnerabilities experienced per month, along with the average resolution time for the month.1 Year Summary of Patching Cadence Observations A higher bubble indicates a longer average resolution timespan for that month. Larger bubbles indicate there were more unpatched vulnerabilities observed during that time period. Did this not fully answer your question? Click here for a deeper dive into how the Patching Cadence risk vector is calculated Learn more about why findings have a decay and lifetime period. For information about scanning and rescan of findings, see How is the Diligence Risk Category Calculated? Learn more about why Patching Cadence should be a risk priority in 2026 at the Bitsight blog! October 23, 2025: New Section added, Rescan base duration January 15, 2024: N/A value clarification. September 5, 2024: The remediated finding behavior references the mean time to remediate. July 10, 2024: The Patching Cadence lifetime is 90 days. Related articles How is the Patching Cadence Risk Vector Assessed? Finding Behavior What is a Finding Lifetime? The Bitsight Security Ratings' Correlation to Ransomware TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.