Vulnerability & Patch Management (B/S/G)

Summary. Find and reduce risk with continuous vulnerability scanning and a clear, achievable patch cadence.

Who it's for. SMEs that want fewer urgent incidents and clear progress that can be evidenced to stakeholders.

What’s Included

Scope	Description
Core Inclusions	Asset & vuln discovery; prioritised findings Patch cadence and maintenance windows Exception handling and management reporting Credentialed vuln scans with evidence and remediation guidance Patch rings/maintenance windows with rollback notes
Optional Add‑Ons	EDR/XDR uplift (per Annex) Remediation sprints (T&M) Executive risk briefings

Note: timelines depend on size and current tooling.

Phase	Activities	Deliverables	Indicative Duration
01 — Baseline	Scan/import assets Define cadence	Baseline risk view & first remediation plan Patch calendar & rings	1 week
02 — Stabilise	Remediation focus Exception process	Documented down-trend in risk Exception register (owner + expiry)	2–4 weeks
03 — Operate	Monthly scans & reports Quarterly roadmap	Monthly scorecard (risk, patch compliance, MTTR) Quarterly roadmap	Ongoing

Plan	Coverage	Response / Restore	Governance
Bronze	Business hours (Mon–Fri 08:00–17:00 NZT, except Public Holidays)	Findings triage monthly	Monthly summary
Silver	Extended hours (Mon–Fri 07:00–19:00 NZT, except Public Holidays)	Findings triage fortnightly	Monthly review
Gold	Business + after‑hours (24×7 P1 only)	Findings triage weekly	Monthly review + exec summary

For pricing, terms and conditions see the Pricing Annex.

Credentialed scanning in place for in-scope assets; authoritative asset source agreed
Critical/high vulns remediated within SLA (e.g., critical ≤ 14 days, high ≤ 30 days)
Patch cadence executed without critical business disruption
Risk trending down: backlog ageing reduced and monthly score improves

Patch-related outages: ringed deployment, maintenance windows, rollback plan
Legacy/EOL platforms: compensating controls and isolation until upgrade
Credential gaps: privileged scan accounts with least-privilege and vault storage

Prefer to stabilise first? Run a short pilot to establish a clean baseline; then roll into this managed service.