Block the Exploit Without Patching the System.

Virtual patching: mitigate CVEs on systems you cannot take down to patch

Virtual patching applies inline inspection rules at TXOne Edge and Stellar that block exploit attempts against known CVEs, without requiring a software patch on the vulnerable system. It is how you mitigate 26% of CISA advisories that have no patch available, and how you protect the legacy Windows and firmware-locked systems that cannot be patched in a four-hour maintenance window.

Start a 60-Minute Proof of Value Review Virtual Patch Coverage

Compensating Control for the Unpatchable

Patching Is Not the Only Answer. In OT, It Is Usually Not the Fastest.

100% of organizations run legacy Windows. 26% of CISA advisories have no patch. A four-hour maintenance window cannot absorb every critical CVE.

Virtual patching closes the gap between a disclosed CVE and an applied fix. TXOne Edge enforces protocol-aware signatures that block the exploit pattern on the wire. Stellar enforces behavioral baselines that block exploit behavior at the endpoint. The vulnerable system stays exactly as it is. The exploit cannot reach it. The Gartner 2025 CPS Vulnerability analysis explicitly endorses this approach for CPS environments.

Capability

What is Virtual Patching?

Virtual patching at TXOne takes two forms that work together. At the network layer, TXOne Edge applies OT-native signatures that detect and block exploit attempts against specific CVEs across 180+ industrial protocols. At the endpoint layer, Stellar enforces application lockdown and CPSDR behavioral baselines that block the exploit from executing even if it reaches the host. Both layers draw from Zero Day Initiative (ZDI) research and the TXOne threat research team. Together they deliver compensating protection for vulnerable systems you cannot patch today (or ever), with explicit credit in the VSAR vulnerability risk model inside Sennin.

Requirements

Virtual Patching Challenges

Key challenges that Virtual Patching addresses.

01 / 04

Almost a quarter of disclosed CVEs are unpatchable today

26% of CISA Advisories Have No Patch Available

Gartner's 2025 CPS Vulnerability analysis documented 3,546 CISA advisories with 26% having no patch available and 18% having neither patch nor mitigation. The traditional patch-driven vulnerability program cannot help.

Almost a quarter of disclosed CVEs are unpatchable today

26% of CISA Advisories Have No Patch Available

Gartner's 2025 CPS Vulnerability analysis documented 3,546 CISA advisories with 26% having no patch available and 18% having neither patch nor mitigation. The traditional patch-driven vulnerability program cannot help.

Key Components

Core components of the Virtual Patching capability.

01 / 05

Network-Layer Virtual Patches (TXOne Edge)

Edge applies OT-native signatures that detect and block exploit attempts against specific CVEs across 180+ industrial protocols. The signatures recognize the exploit pattern on the wire and prevent it from ever reaching the vulnerable system. Blocks happen inline in sub-seconds, not after a 35-45 minute coordination window.

Key Capabilities

1,500+ OT-native threat signatures

Protocol-aware detection across 180+ protocols

Sub-second inline blocking at wire speed

Zero-day coverage via ZDI (Zero Day Initiative) research

Endpoint-Layer Virtual Patches (TXOne Stellar)

Stellar enforces application lockdown and CPSDR behavioral baselines on the endpoint. Even if an exploit reaches the host, the baseline denies the process, the file write, or the registry change it needs to succeed. Coverage spans Windows 2000 through Windows 11, including the legacy systems IT EDR drops.

Key Capabilities

Application lockdown prevents unauthorized execution

CPSDR blocks exploit behavior at the process level

Windows 2000 through Windows 11 endpoint coverage

Protection survives even if network defenses are bypassed

VSAR Credit in Sennin

When TXOne virtual patches cover a CVE, Sennin VSAR gives the asset explicit credit in its operationally-weighted risk score. The vulnerability remains tracked, but its priority drops because the exposure is mitigated. Your team focuses on CVEs without compensating coverage first.

Key Capabilities

Virtual patch coverage automatically reflected in VSAR

CVE remains visible and auditable

Aligns remediation workload with actual residual risk

Evidence for compliance and regulator reviews

Zero-Reboot Signature and Behavioral Updates

New virtual patches deploy without reboot, without traffic interruption, and without consuming the production maintenance window. Your maintenance window stays available for actual operational work. Security currency becomes independent of the plant calendar.

Key Capabilities

Signatures update without device reboot

Behavioral baselines refresh without endpoint downtime

Maintenance window preserved for operations

Deployment cadence independent of plant schedule

Research-Backed Coverage

Virtual patch coverage draws on Zero Day Initiative (ZDI) research, the TXOne threat research team, and public CVE disclosure feeds. Coverage extends to operational protocols that IT security research teams do not study. The result is CVE protection specifically for industrial environments, not generic IT signatures adapted for OT.

Key Capabilities

ZDI research feeds primary signature generation

TXOne threat research team adds OT-specific coverage

CISA advisory tracking for active exploitation

Protocol coverage IT vendors do not provide

Network-Layer Virtual Patches (TXOne Edge)

Edge applies OT-native signatures that detect and block exploit attempts against specific CVEs across 180+ industrial protocols. The signatures recognize the exploit pattern on the wire and prevent it from ever reaching the vulnerable system. Blocks happen inline in sub-seconds, not after a 35-45 minute coordination window.

Key Capabilities

1,500+ OT-native threat signatures

Protocol-aware detection across 180+ protocols

Sub-second inline blocking at wire speed

Zero-day coverage via ZDI (Zero Day Initiative) research

Outcomes

01 / 04

$2-5M

Per-system replacement cost avoided

$2-5M

Per-system replacement cost avoided

CISA CPS advisories in scope

CISA advisories with no patch available

Legacy Windows prevalence in OT

Cite replacement cost as primary barrier

Why TXOne for Virtual Patching

Network and endpoint enforcement working together, backed by OT-specific research, with explicit credit in operational risk scoring.

TXOneOperations-first

Virtual patches run at both the network (Edge) and endpoint (Stellar) layers. Redundant coverage means an exploit has to bypass both; most bypass neither.

VS

Two Layers, Not One