You can't patch your way out of this anymore

Hey there! Welcome to Platform Weekly. Your weekly sweep of the platform engineering perimeter. Every week, we round up the sharpest thinking in the community and hand you the one story you can't afford to ignore.

Plus… we’re just two weeks away from PlatformCon! It’s your last chance to get tickets and say hi in London or New York!

You can't patch your way out of this anymore

I've been having the same conversation on repeat lately, with a bunch of you in the community. The patching treadmill is totally f*cked. We spent the last year just trying to run faster to outpace it - and I think it’s time to stop. And I don’t mean give up.

For thirty years the playbook was find the CVE, ship the fix, apply the patch, repeat. That made sense when vulnerabilities came in the hundreds and attackers took weeks to move. That world is GONE.

• 48,185 CVEs were published in 2025, up 163% from 2020. FIRST's median forecast for 2026 is nearly 60,000, and some people are suggesting 100,000+.

• The Linux kernel alone accounted for 5,530 CVEs last year, a pace of 8 to 9 new ones every single day.

• In 2020, attackers needed 30 days on average to weaponize a new CVE. By 2025 the median was under 5 days.

• 28% of vulnerabilities in 2025 were exploited on disclosure day or before a patch even existed. For that group the average time-to-exploit was negative one day. The fix didn't exist yet.

• Meanwhile organizations take 88 days on average to remediate a critical vuln (not to mention NIST has stopped bothering categorizing all of them…) You're on your own to figure out severity.

Those numbers come from Justin Garrison, Field CTO at Sidero Labs, in a piece called Patching Won't Save You. Oof. It's a banger, and it reframes the whole problem.

This is a fundamental platform engineering problem now NOT a patching problem. If attackers exploit in hours and no change advisory board on earth runs at machine speed, then a faster pipeline was never going to be the answer. The answer is to have less to patch. Sounds easy doesn’t it?;)

That's the game. Shrink the surface. If a package isn't there, the CVE against it simply doesn't apply to you. Justin has another great article on his favourite example Copy Fail, a 732-byte script that claimed to root every Linux distro shipped since 2017.

Talos Linux, which is an open source Linux OS for K8s, which Justin and the folks at Sidero Labs have been maintaining, is basically immune to this. No shell, no package manager, not even a Python interpreter, most of the exploit had nothing to grab onto. Whole categories of risk just come off the board.

That is how you need to think about these security problems going forward. If you aren't thinking secure by default, then to be honest, you're not thinking at all.

So here's what I want you to do this week - stop asking how fast you can patch, and start asking how much you can delete. Read Justin's full breakdown, take a look at Talos Linux, then go count the packages in your base image you've never once called.

Quick bites

Highlight of the week

• 5 pillars your platform needs in 2026 and beyond

From the community

• Want to watch the recordings of PlatformCon workshops and talks you weren't able to attend? We're uploading more every day on the community YouTube channel.