It was a routine patch cycle. The team pushed updates to what they thought was the full device list. Three servers weren't on it.
Two of them were running a legacy payment integration. One was exposed to the internet.
The post-mortem finding: the asset spreadsheet hadn't been updated in six weeks. Someone had spun up the servers during a crunch period and never added them. The patch ran, the known devices were updated, and the unknown ones stayed vulnerable.
The real problem with patch management
Most teams treat patch management as a tooling problem. Get the right patch tool, run it on a schedule, check the boxes.
But patch tools only patch devices they know about. If your inventory is incomplete, your patch coverage is incomplete — by definition.
This is why patch management is fundamentally a data problem. You can have the best patching tool in the world and still miss 15% of your environment because your inventory is stale.
What "complete" actually means
A complete asset inventory isn't a spreadsheet updated every quarter. It's a live, queryable record of what's connected to your environment right now — with enough metadata to answer:
- Is this device in scope for this patch?
- When was it last seen on the network?
- Who owns it?
- What's running on it?
Without that, you're patching from a map that's already out of date.
The fix isn't more process
Adding a "please update the spreadsheet" step to your onboarding checklist doesn't solve this. People forget. Contractors don't know to do it. Emergency deployments skip it.
The fix is making the inventory self-updating — or at least queryable from your actual infrastructure rather than maintained manually.
If you're thinking about how AI fits into this, conexor.io is worth a look — it's MCP infrastructure that connects your databases to AI tools so you can query live asset data in natural language instead of hunting through stale spreadsheets.
The spreadsheet didn't cause the breach. The gap between the spreadsheet and reality did.
Top comments (0)