A defacement campaign hit over 15,000 Magento e-commerce sites recently. The attackers did not wait for a patch. They did not need to. There was no patch available.

This is the scenario that patch-based security was never designed to handle. A vulnerability exists, no fix is out yet, and attackers are already moving at scale. Your options under a purely reactive model are limited: take the system offline, accept the risk, or hope your perimeter holds long enough for a fix to ship.

None of those are good options.

The PolyShell campaign is a good reminder that the patch cycle is not a security strategy. It is a maintenance schedule. Those are different things. One keeps your systems current. The other assumes that staying current is enough to stop a motivated attacker. It is not.

What changes the math is not faster patching. It is making the environment hostile to reconnaissance and lateral movement before the attacker can take advantage of what they found. A network that detects unauthorized activity at first contact and responds inline does not need to wait for a CVE to be filed, analyzed, and patched before it can act.

Preemptive defense does not replace patching. You still patch. But it means that in the window between discovery and remediation, you are not sitting exposed. You are actively making the attacker’s job harder every second they are in your environment.

15,000 sites is a big number. The organizations that got hit were not all negligent. Some were simply relying on a model that was not built for the speed modern attacks operate at.

The industry needs to stop treating patching as the last line of defense and start treating it as one layer in a system that does not require a patch to respond.