Virtual Patching with Device Security provides you with network-level vulnerability mitigation capabilities for OT and IoT environments where traditional patching presents operational challenges. You can deploy protection through your Next-generation Firewall by mapping CVEs to existing threat signatures and creating Security policy rules that block malicious traffic targeting specific vulnerabilities, rather than applying patches directly to vulnerable devices.

Use Virtual Patching when your operational environment faces significant patching constraints. Legacy systems in your network might lack vendor support for updates, your critical infrastructure might require extended maintenance windows that conflict with security timelines, or your systems could have long operating periods that extend time between maintenance windows. Additionally, your updates might require lengthy recertification cycles that delay patch deployment. Virtual Patching addresses these challenges by preventing vulnerability exploitation at the network level while allowing you to maintain operational continuity.

The feature integrates asset discovery, risk assessment, and automated policy deployment within Device Security. You can identify vulnerable devices in your environment, assess their risk levels, and receive guided recommendations for deploying compensating controls. Device Security verifies if threat signatures exist for specific vulnerabilities and helps you create least-privilege Security policy rules with vulnerability protection profiles. When you deploy these policies, you can extend the operational life of legacy systems while meeting regulatory compliance requirements that mandate documented risk mitigations.