COMMENTARY: On March 7, 2017, Apache disclosed a critical vulnerability in the Struts web application framework. Three days later, Equifax was breached.Equifax learned the hard way that a security process is only as strong as its weakest handoff. The patch existed. The playbook existed. What failed was the connective tissue in between, and every organization that still primarily relies on humans to bridge that gap is running the same risk.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Equifax almost aced the test on responding to critical vulnerabilities. Someone in the organization knew exactly what needed to happen — but the company fell catastrophically short because of broken internal handoffs. When US-CERT issued an alert about the Struts vulnerability, the Equifax recipient list was out of date, and the notice never reached the individuals responsible for applying the patch. The cost of broken hand-offs and stale tickets: 147 million Americans' data exposed and a $700 million settlement.The Equifax breach was nearly a decade ago, and attacks are only becoming faster and more sophisticated. Relying on "human APIs," tasking people with manual data transfers, remediation hand-offs, and chasing follow-ups is no longer a viable strategy. Attackers move at the speed granted by autonomy, while defenders wait for someone to forward them an email.The numbers reflect how badly coordination has failed. In a 2019 study, 88% of respondents said patching vulnerabilities required coordination with others outside their team, delaying patches 12 days on average — and 60% of breach victims said the exploited vulnerability already had a patch available.
Related reading:
A 2025 survey shows little has changed: despite 85% of organizations believing they have strong cross-team collaboration, communications breakdowns remain the single most common cause of remediation delays. That coordination cost compounds with every boundary crossed. The median time to remediate exploited vulnerabilities in edge devices is 32 days. When security teams need to engage developers to address secrets exposed on GitHub, that grows to 94 days. And when third parties are involved, it balloons to 267 days.Tools to automatically apply patches predate Equifax, and we have even better versions today, but these solutions only activate as part of a process that extends before and beyond them. Like in the parable of the tortoise and the hare, updating package versions at rabbit-speed doesn't win the race if you wait weeks to start running.The fixation on patching speed misses what's equally crucial: what happens before and after the patch itself. Vulnerability scans and alerts, automated triage and ticketing, integrated handoffs and follow-ups–these are the business processes that determine when a patch gets applied. There are entire product categories designed to automate pieces of this: Security Orchestration Automation & Response (SOAR), Remote Monitoring & Management (RMM), and Governance Risk & Compliance (GRC) can each protect parts of the security lifecycle. But having them doesn't mean you're in the clear. Each represents a single node in a process that has to be connected end-to-end. Without connective tissue tying them together, you have exactly what Equifax had in 2017: isolated competencies, weak handoffs, and vulnerabilities that remain unresolved as days turn to weeks.The answer isn't a better point solution, it's a system that wires the lifecycle together end-to-end. When a vulnerability is discovered, the process should trigger automatically: scan, triage, assign, notify the right team in the right system, bring in analysts where they are needed, escalate if a deadline slips, and close the loop with verified remediation. Every step triggered by the last, with no “human APIs” required to hand off between them. That kind of orchestration doesn't just accelerate remediation, it eliminates the category of failure that cost Equifax $700 million.The bar for "automated" has to be the complete cycle, from discovery to resolution, with no manual dependencies in between. Attackers operate with the speed and consistency that only autonomy provides. Until defenders can match that with end-to-end orchestration rather than isolated tools bridged by human effort, the weakest link will keep breaking. The technology to close that gap exists. The question is whether organizations will demand it before the next Equifax.
Equifax almost aced the test on responding to critical vulnerabilities. Someone in the organization knew exactly what needed to happen — but the company fell catastrophically short because of broken internal handoffs. When US-CERT issued an alert about the Struts vulnerability, the Equifax recipient list was out of date, and the notice never reached the individuals responsible for applying the patch. The cost of broken hand-offs and stale tickets: 147 million Americans' data exposed and a $700 million settlement.The Equifax breach was nearly a decade ago, and attacks are only becoming faster and more sophisticated. Relying on "human APIs," tasking people with manual data transfers, remediation hand-offs, and chasing follow-ups is no longer a viable strategy. Attackers move at the speed granted by autonomy, while defenders wait for someone to forward them an email.The numbers reflect how badly coordination has failed. In a 2019 study, 88% of respondents said patching vulnerabilities required coordination with others outside their team, delaying patches 12 days on average — and 60% of breach victims said the exploited vulnerability already had a patch available.
