Microsoft shipped March 2026 Patch Tuesday on 10 March with no actively exploited zero-days. And I can already hear the conversation in the finance department: "Quiet month, push it to next quarter." Wrong.

This month's release covers six Windows elevation-of-privilege flaws that Microsoft itself rates as Exploitation More Likely, a critical Excel bug that can hijack Copilot Agent to exfiltrate data with near zero user interaction, and two Office remote code execution issues that fire through the Preview Pane. Quiet months are when attackers catch you napping. Get the cumulative update applied. This week.

Graham here. Microsoft dropped six actively exploited zero-days on us yesterday, three of them publicly disclosed before the patch even landed. That means attackers had working exploits before you had fixes.

Three bypass your security warnings entirely. One gives SYSTEM access through Remote Desktop Services. CrowdStrike confirmed active abuse in the wild. Meanwhile, SAP shipped a CVSS 9.9 code injection flaw and Adobe patched 44 vulnerabilities across nine products.

If your patching approval process takes longer than 48 hours, you are giving attackers a documented, step-by-step guide to your network. Here is what to patch first.

Microsoft’s January 2026 Patch Tuesday delivered 114 updates and 3 zero-days – with SharePoint Toolshell, Fortinet VPN bypass, and HPE OneView RCE leading the charge. This isn’t theoretical. Attackers are already exploiting these in the wild. From Adobe Acrobat to Apple’s WebKit spyware holes, no vendor was spared. SMB IT teams, you’re on the clock. Here’s your no-fluff, brutally honest patching guide.

Monday, 12th January 2026. Instagram denies a breach while millions get password reset emails. Nissan admits attackers stole employee data. A UK school in Nuneaton faces "serious" cyber attack. Three London councils still recovering from November breach affecting 100,000 households. India's entire mobile security infrastructure looks dodgy as hell. BreachForums, the criminal marketplace itself, gets its database leaked. And the US withdraws from global cyber coordination bodies right when we need cooperation most. Eight incidents. One common thread: credentials, governance failures, and shared infrastructure vulnerabilities. Tomorrow is Patch Tuesday, but you can't patch stupid.

Microsoft's July 2025 Patch Tuesday just dropped 130 security fixes while most UK SMBs remain blind to 42% of applications running on their networks. From my NCSC experience, this represents a systematic organizational failure: you cannot patch what you cannot see.

Critical vulnerabilities in Windows Kernel, BitLocker, and authentication systems require immediate deployment, but Shadow IT applications will break unpredictably.

Worse, the buried Secure Boot certificate expiration warning affects every Windows system since 2012 and could cause boot failures by June 2026. Patch management with unauthorized applications is like performing surgery blindfolded while the patient keeps moving.

Yesterday's Episode 6 dropped the bombshell: 42% of business applications are unauthorized. Today we're diving deeper into the hidden app epidemic destroying UK SMB security.

Karen's Dropbox backup strategy with password "Password" shared via email. Marketing teams feeding confidential data to AI platforms. Customer service operations running through WhatsApp Business storing financial information in chat logs.

DNS monitoring revealing 200+ cloud connections in a single week. This isn't isolated incidents, it's systematic security failure hiding in plain sight. The digital squatters have moved in, and most businesses have no idea they're paying rent to criminals.

This week we explored compliance theatre vs real security. Next week, we're diving into the monthly war zone that every IT team knows: Microsoft's Patch Tuesday roulette where one wrong decision can sink your business.

Monday's podcast takes you inside the 6 PM chaos when UK teams scramble with late-breaking updates, and Tuesday's deep-dive exposes why traditional patch management advice is built for enterprises that don't exist.

Plus, practical survival strategies for when you're fighting attackers who reverse-engineer fixes faster than you can deploy them.