About PatchDelta

Who Built This

Mike Poeschl — security infrastructure engineer, founder of PatchDelta.

I’ve spent five years building security products and infrastructure. I’ve watched vendor advisories stream in. I’ve tracked patch timelines. I’ve seen the gap between vendor marketing claims and operational reality.

That gap is the reason PatchDelta exists.

The Problem

The cybersecurity industry measures vendors on the wrong thing: CVE count (how many vulnerabilities affect their products). It’s a meaningless metric. A vendor that actively discovers and discloses vulnerabilities looks “worse” than a vendor that silently ships patches without publishing advisories.

What actually matters: How fast vendors patch disclosed vulnerabilities.

A CISO doesn’t care if a vendor has 50 CVEs or 150 CVEs. They care about: If a vulnerability is disclosed tomorrow, how long until my vendor has a patch available? That’s operational maturity. That’s what you can measure and compare.

The Solution

PatchDelta measures one metric: the delta between CVE publication (NVD) and patch availability (vendor advisory). We compute medians, segment by severity and product category, publish confidence scores, and explain our methodology transparently.

No vendor interaction. No sponsorship. No marketing. Just data.

Why This Matters

For CISOs: A quantitative comparison of vendor operational maturity. Not analyst ratings. Not marketing claims. Just the numbers.

For vendors: Incentive alignment. You’re measured on what actually matters: how fast you fix disclosed problems. If your patch response time is slipping, you can actually improve it.

For the industry: A reframe around accountability. In incident response, we stopped measuring alert count and started measuring MTTR. In vulnerability management, we should do the same: stop measuring CVE count and start measuring patch response time.

What’s Next

At launch, PatchDelta tracks five major vendors (Fortinet, Palo Alto Networks, Cisco, Check Point, Juniper) across seven product categories.

We’ll add more vendors as the nomination pipeline fills. We’ll open-source the methodology. We’ll increase refresh cadence. We’ll layer in richer disclosure timeline data.

The goal: Patch response time becomes the industry standard for vendor comparison.

Connect

• Why I Built This — the full origin story
• Methodology — technical details and limitations
• Nominate a vendor — help us expand coverage
• LinkedIn: Mike Poeschl (TODO: add URL)
• X/Twitter: @mikepoeschl (TODO: add URL)

PatchDelta is built with independence, transparency, and accountability in mind.