According to the NIST National Vulnerability Database, 1772 software vulnerabilities with a CVSS score of 7 or higher were disclosed in 2012, and 2013 is so far (at the time of writing) not looking any better. A lot of times the window of exposure - from when a vulnerability is discovered to when a patch has been deployed - is very long. In a corporate environment, it’s not unusual to rely solely on patch management and semi-static security tools such as firewalls, IPS and antivirus for protection, and because of various reasons patch deployment might take a long time or may not even be possible. This talk will discuss why patch management is insufficient for protection against new vulnerabilities, how the traditional “defense in depth” model needs to be re-architected, and finally how the window of exposure can be reduced by active response before incidents occur.