THESEUS: Making patching happen

Project: Research project

Project Details


A core assumption underlying organizational security practices
is that defenders are able to remediate known vulnerabilities in
their systems in a timely fashion. Otherwise, attackers can just
follow the breadcrumbs laid out by security advisories and
exploit known weaknesses. This is indeed what happens in
many large breaches. While progress has been made at the
level of consumers, with automatic updates and default
patching settings, this does not translate to enterprises. They
face a painful dilemma: patch too soon and incur potential
downtime and failures; patch too late and get compromised by
attacks. As a result, organizations take a long time to patch
even critical security vulnerabilities. The central objective of
THESEUS is to empower organizations to patch much faster. It
aims to achieve this by radically changing the risk governance
of patching. Changing the risk of patching for enterprises
means to develop interdisciplinary breakthroughs at three
interdependent levels:
- Systems: reducing risk of patching via
new techniques in automatic vulnerability and patch triaging,
as well as automatic patch generation with live update for
cases where critical patches pose unacceptable availability
- Enterprises: better quantifying risk of patching by
assessing and aggregating the results of the patch triaging, as
a way to estimate exploit likelihood in a coherent picture that
accounts for different attacker models and functional impact.
-Governance: more effectively managing risks of patching by
introducing incentive mechanisms via notifications and
information sharing, sector-wide benchmarks of patching
speed, and potentially legal instruments. THESEUS sets out to
(1) bring advances from the lab to real-world settings by
working with a large consortium of partners from healthcare
and transportation who contribute people, data, and pilots; and
(2) replace the status quo, as well as counterproductive
solutions like mandatory patching, with a richer set of
governance interventions across different levels.

Layman's description

The central objective of the THESEUS project is to empower organizations to patch security vulnerabilities much faster, more efficiently and with less risk.
Short titleTHESEUS
Effective start/end date15/10/2114/10/27


  • patching
  • security updates
  • cybersecurity
  • cybersecurity law


Explore the research topics touched on by this project. These labels are generated based on the underlying awards/grants. Together they form a unique fingerprint.