Anthropic-Cybersecurity-Skills/skills/implementing-patch-management-workflow/references/workflows.md

Workflows - Patch Management

Workflow 1: End-to-End Patch Lifecycle

┌────────────┐   ┌──────────┐   ┌──────────────┐   ┌──────────┐
│  Discover  │──>│  Assess  │──>│  Prioritize  │──>│   Test   │
│  (Vendor   │   │  (CVE    │   │  (CVSS+EPSS  │   │  (Lab    │
│   Feeds)   │   │  Match)  │   │   Scoring)   │   │  Ring 0) │
└────────────┘   └──────────┘   └──────────────┘   └──────────┘
                                                         │
    ┌───────────────────────────────────────────────────┘
    v
┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐
│ Approve  │──>│  Deploy  │──>│  Verify  │──>│  Report  │
│ (CAB /   │   │ (Phased  │   │ (Re-scan │   │ (Metrics │
│  Change) │   │  Rings)  │   │  Confirm)│   │  + KPIs) │
└──────────┘   └──────────┘   └──────────┘   └──────────┘

Workflow 2: Emergency Patch Process

For critical zero-day or actively exploited vulnerabilities:

1. Alert (T+0h): Vendor advisory or threat intel notification
2. Triage (T+1h): Assess applicability and impact
3. Fast-track Test (T+4h): Rapid testing on critical systems
4. Emergency CAB (T+6h): Expedited approval
5. Deploy (T+8h): Direct to production (skip pilot rings)
6. Verify (T+12h): Post-patch scan verification
7. Post-mortem (T+48h): Review process effectiveness

Workflow 3: Rollback Procedure

Patch Deployment Fails
    │
    ├──> Application Not Starting
    │       └──> Restore from snapshot/backup
    │
    ├──> Performance Degradation
    │       └──> Uninstall patch (wusa /uninstall /kb:NNNNN)
    │
    ├──> Blue Screen / Kernel Panic
    │       └──> Boot to safe mode, remove update
    │
    └──> Network Connectivity Lost
            └──> Console access, rollback patch