ASD's ML2 now expects critical internet-facing fixes in 48 hours. Here is the patch pipeline on Azure Policy and Defender that actually holds that line.
Draft outline · Operations lensThe updated Essential Eight tightened patch timelines: Maturity Level 2 expects critical vulnerabilities on internet-facing assets patched within 48 hours, with faster application patching and weekly scanning. That is driven by the collapsing gap between disclosure and exploitation, exactly the pattern the Ivanti and Fortinet edge CVEs demonstrated.
Primary source for the tightened patch timelines and what each level now requires.
Independent reporting showing why 48 hours exists: same-week, sometimes same-day exploitation.
An operations piece: running a patch pipeline that meets a specific, demanding SLA. It connects the E8 requirement to the edge-device reality (the VPN dive) and shows we operate the control, not just recommend it.