Why your TPV should match your MTTR: Reducing identity risk

The DragonForce ransomware group has been in the news lately. In the latest instance, they broke into a Managed Service Provider SimpleHelp’s remote-monitoring platform by exploiting three vulnerabilities disclosed in January (CVE-2024-57726/27/28), cybersecurity firm Sophos reported. 

After slipping a rogue SimpleHelp installer onto the MSP’s infrastructure, the attackers used the legitimate tool to fan out across multiple customer networks.

The intruders harvested device and user data, exfiltrated files and deployed the DragonForce encryptor, triggering data-theft and double-extortion attacks on several downstream clients. 

One customer cut off the attackers’ RMM access in time, but others sustained both ransomware and information-stealing damage, the Sophos report said.

The issue is clear. SimpleHelp issued patches in January, and regulators and sector guides have been alerting users since then. 

“The three vulnerabilities can be used in an exploit chain, which could allow a remote unauthenticated attacker to execute arbitrary code, steal server configuration files and credentials, and escalate their privileges,” said an NHS England advisory published on 14 February 2025.

Those who failed to patch on time got hit.

The silent cost of slow patching

The data are brutal. Research collated by NinjaOne shows that unpatched vulnerabilities are responsible for roughly 60 percent of successful breaches. 

Meanwhile, Verizon’s 2024 Data Breach Investigations Report notes an eye-watering 180% year-on-year surge in breaches triggered by vulnerability exploitation: a near-tripling driven by zero-day campaigns such as the MOVEit vulnerability and data extortion incident. 

Those statistics translate into concrete identity risk. Every unpatched CVE can let an adversary steal session tokens, replay credentials, or escalate privileges inside your cloud directory. 

Left unchecked, a lapse in patching becomes the stepping-stone to ransomware, data exfiltration, or silent persistence under a trusted service account.

Security leaders talk constantly about closing “windows of exposure,” yet many organizations keep two different clocks for the same risk. The mitigation step here is deceptively simple: equate your TPV to your MTTR.

TPV and MTTR in business language

Time to Patch Vulnerabilities (TPV) measures how quickly you roll out a vendor fix; Mean Time To Remediate (MTTR) tracks how fast you contain a live incident. If those clocks diverge, the gap becomes an open invitation: attackers can weaponize a new flaw long before you act on it. 

This is what Unosecur diligently advises our clients: apply a patch as fast as you would fix an active breach. In practice that means aiming for TPV that mirrors, or even beats, your established MTTR target.

Imagine you promise customers that you will answer every email within one day. That promise is your service-level agreement. TPV is the security equivalent: it is the deadline you set, internally or contractually, for rolling out a vendor patch once it is published. 

MTTR, by contrast, is the stopwatch you click the moment the security team raises an incident ticket; it ends only when the threat has been fully contained.

In many companies MTTR sits on a brightly lit dashboard that executives glance at in every ops review, while TPV hides in a change-control spreadsheet no one outside IT ever sees. The result is predictable. Incidents are handled with urgency, but patches wait for a “low-impact” maintenance window that may be weeks away. 

Aligning the two metrics forces patching into the same high-priority workflow that governs incident response.

Why matching the clocks matters for identity security

Same urgency, fewer blind spots. When the organization treats a released patch exactly like an active incident, critical fixes move to the front of the queue instead of languishing in backlog. The identity services that attackers covet, such as domain controllers, SSO gateways, cloud IAM consoles, get patched before threat actors can reverse-engineer the vulnerability.

One executive metric. Boards already understand MTTR; tying TPV to the same number removes complexity. If leaders see MTTR at five days and TPV at fifteen, they immediately recognize a gap that demands resources or process change.

Early risk signal. A widening TPV-MTTR delta is a flashing warning that the organization is giving adversaries more time than it gives itself. The moment that gap appears, security and IT have empirical proof that their patch flow, or the change-approval process above it, is putting the business at avoidable risk.

Three practical steps to bring TPV down to MTTR

Automate same-day roll-outs for identity-critical systems. Modern patch-management tools can stage, test, and deploy updates within hours without manual hand-offs. Prioritize the pieces attackers hit first: Active Directory, Azure AD/Entra, identity proxies, credential vaults, and any workload with domain-level privileges. Automation eliminates the human delay loop and enforces consistency across cloud and on-prem estates.

Pair every patch wave with an express IAM audit. Patching mitigates the vulnerability, but stale non-human identities and long-lived tokens can still provide attackers a foothold. Build a process that automatically compares privileged roles to policy baselines, flags inactive service accounts, and forces regeneration of decade-old API keys. Over time this practice shrinks the blast radius should a single patch ever slip through the cracks.

Show TPV alongside MTTR on the same operations dashboard. Security operations centers already pipe MTTR data into executive reports. Add a TPV tile next to it: same color scale, same thresholds. If either timer drifts beyond policy, trigger a post-mortem just as you would after a high-severity incident. Visibility begets accountability; accountability accelerates patches.

A note for the boardroom

Aligning patch deadlines with incident-response speed is not a technical nicety; it is a governance control that demonstrably cuts breach likelihood. 

When TPV shadows MTTR, you eliminate the attacker’s “easy mode” and close one of the biggest doors into your identity fabric before anyone can test the handle.

If you need a concrete example, our latest advisory breaks down the May 2025 Microsoft zero-days, shows which ones punch holes in Azure AD and Windows credential safeguards, and provides a 48-hour action checklist. 

Read it now and benchmark how close your patch playbook comes to TPV = MTTR, because in the current threat climate, close enough may already be too slow.

‍