Point. Click. Patch.

The Patching Problem

Vulnerability Scanning

The unfortunate reality for all of us is that bugs are simply part of the software lifecycle. A single Static Application Security Testing (SAST) report could identify hundreds—if not thousands—of instances for each vulnerability, but running SAST and Dynamic Application Security Testing (DAST) tools only identifies the vulnerabilities, it does not fix them.

Even if organizations are willing to find and fix the vulnerabilities in their own code, applications can still be vulnerable since only 10% – 20% of the code that runs on your application is written by application developers.

Vulnerabilities also occur throughout the rest of the code in the underlying frameworks, libraries, transient dependencies, servers, services and even the runtime platform itself (JVM, .NET, etc.).

Critical Patch Updates

Routine critical patches that come from Oracle and Microsoft represent a significant part of the burden teams face. Microsoft’s Patch Tuesday is an institutional event and Oracle’s quarterly Critical Patch Updates (CPU) have more than doubled in size since April 2016 – from the 130s to the 300s per CPU in July 2017. The July 2017 CPU reflected finding a new vulnerability every 68 hours (on average) based on the Java-related CVEs patched – 2/3rds of which had a High Severity CVSS score and 87 percent of which could be remotely exploited without authentication.

Vulnerabilities found in 2017 (Source: NIST)
of High Severity Vulnerabilities take more than 90 days to close (Source Veracode)
Average number of days open source flaws are known until patched (Source: COSRI)
of known flaws discovered in 2016 can be patched with CPUs (Source: IBM)

“My scanning tools give me a list of flaws as long as my arm on top of huge CPUs. My team can’t patch fast enough”.

Waratek Patch

Waratek Patch

A lightweight plugin agent to apply custom security rules as well as current and historical virtual patches for instant protection.

  • Support for Java and .NET applications
  • Create and apply custom virtual patches
  • Virtual patches of Java and .NET critical patch updates
  • Library of past CPUs to Java 4
  • Instant protection
  • No downtime
  • No code changes
  • Functional equivalent physical patches
  • No break / No Exploit Guarantee
  • Self-manage or use Waratek As A Service

Point. Click. Patch.

Most WAF and RASP vendors tell you they virtually patch your code.

They don’t.

Physically patching known software flaws is time consuming and risky. That’s why traditional virtual patching, also referred to as virtual shielding, is often mentioned as a way to quickly protect applications against known CVEs. But, traditional virtual patches still leave you vulnerable to attack.

Web Application Firewall (WAF) and RASP providers use techniques such as pattern matching or RegEx to shield a known CVE. These patches do not fix the flawed code and often result in false negatives and false positives. Routine tuning is also required for the patch to remain effective against attack.

Only Waratek can fix the vulnerable code of a CVE with no downtime, no source code changes, and no tuning.


Waratek’s runtime virtual patching is fundamentally different.  A runtime virtual patch is the functional equivalent of a physical binary patch that is applied while the application runs with no source code changes and no tuning required.

The known CVE is fixed in the compilation pipeline of Java and .NET applications, reducing the time-to-patch across an enterprise from weeks, months, or years to a matter of minutes.

Waratek can also provide custom runtime virtual patches based on the output from vulnerability reports.

Runtime Virtual Patching


Take a look at how Waratek Patch works

Easy to Install

  • Simple plug-in agent to the Java JVM or .NET CLR
  • Patch multiple applications at the click of a button
  • No profile or tuning

Simple to Operate

  • Simple patch configuration
  • Simple deployment tool
  • Central patch deployment
  • No tuning

Save Time and Money

Reduced costs of:

  • Patching
  • Ongoing Maintenance
  • Increased ability to focus on higher priority items
  • Improved compliance

Waratek Services

Patching Subscription Service

Create your own virtual patches using the Waratek patch engine, or subscribe to our virtual patch service. You’ll receive routine and emergency virtual patches updates when they are issues by Oracle, Microsoft, IBM or other key software vendors like the Apache Foundation.

Custom Virtual Patching Service

Waratek offers a custom virtual patching service. Give us your scanning reports and we’ll create custom virtual patches on a subscription or a` la carte basis.

Patch Library

Waratek offers a library of Java Virtual Critical Patch Updates to ensure current and legacy applications are fully patched. Virtual patches for Java 7 and Java 8 are currently available. Java 5 and Java 6 will be available in Q2, and Java 4 will be available by Q3.

Suggested Resources


Saving Time and Costs with Virtual Patching



Virtual Patching




Watch this short video to find out how Waratek provides Virtual Patching



Virtual Patching is in the eye of the beholder


Can we help?

Want to find out more about how Waratek can help you speed up your Patching process?

Contact us:

Other Waratek Products

Waratek Secure

Waratek Secure

A lightweight plugin agent that protects against the known vulnerabilities found in:

  • 2013 and 2017 OWASP Top Ten
  • SANS Top 25
  • Zero Day Attacks

Waratek Enterprise

Waratek Enterprise

A plugin agent that provides the full suite of Waratek benefits:

  • Virtual Platform Upgrade for Java
  • Virtual Patching
  • Full Stack Security