Automatic Patch Management

Controlled, monthly OS security patching for your VMs and containers, with clear maintenance windows and notifications.

At a glance

Scope

OS security & critical updates

Schedule

2nd Wednesday monthly, 10:00 EET

Downtime

Typically 15 minutes if reboot required

Control

Opt-in, exclusion + custom windows

What is included

OS security updates

Monthly security patches for supported operating systems.

Critical vendor patches

Critical OS fixes recommended by the OS vendor.

Post-patch basic health checks

Basic service + connectivity checks after updates/reboot.

Pre/post notifications + execution record

Pre/post notices and a summary of what was applied.

What is not included

Major OS upgrades

No distro major upgrades (e.g., 22.04 → 24.04), or Windows 2022 - 2025.

Major application upgrades

TNo major version upgrades for apps/DBs/frameworks.

App config changes

No app config changes or tuning as part of patching.

Compatibility remediation

Fixes for app incompatibilities are handled separately.

How it works

Confirm opt-in

Let us now you would like to enable the service or provide exceptions.

Enable schedule

We enable the automatic scheduling of patch management.

Apply patches

Patches are applied according to schedule.

Validate

The systems is validated via basic service health checks.

Maintenance window selection

Standard window: Wednesday of the second week, 10:00 EET (GMT+2).

Alternative windows: available on request.

FAQ

What systems are eligible?

Automatic Patch Management is available for:

All systems covered under an active support contract that includes proactive support services, and
All systems hosted within Spearhead Cloud with an SLA level of Standard or higher.

If a system is legacy/EOL or has special constraints, we may recommend exceptions or a custom approach.

What patches do you apply?

We apply operating system vendor patches and third-party patches delivered through approved repositories, including (where applicable) repositories such as:

distribution/vendor repos (e.g., Debian/Ubuntu/RHEL family),
third-party vendor repos (e.g., Percona, PHP repos, etc.).

Scope is OS-level security and critical updates; we do not perform major upgrades as part of this program.

Will my services go down?

In most cases, patching is non-disruptive or causes only brief service interruptions:

Some services may restart and become temporarily unavailable for 1–2 minutes.
If patches require a system reboot, downtime can be up to ~15 minutes per system (typically less), depending on boot time and service startup.

What if something breaks after patching?

We design our automation to minimize risk and to detect issues quickly:

Prerequisite: before enabling Patch Management, we validate that a functional backup process is in place.
No backup = no automatic patching: if backups are not available/functional, the automated process will not be applied.
Patches are applied during normal operating hours, so any unlikely issues can be detected and handled immediately by our team.

Do you do emergency out-of-band patching?

This refers to patching outside the regular monthly window for situations such as:

critical vulnerabilities with active exploitation in the wild,
high-severity vendor advisories that require immediate action.

If such a case occurs, we will handle it as a security change, aligned with your SLA and operational constraints (and, where applicable, an agreed communication path)

Can I exclude systems or choose another window?

Yes.

Exclusions: specific systems can be excluded on request; however, excluding systems means they may remain unpatched and therefore at higher security risk. We will ask you to explicitly acknowledge this risk.
Custom windows: the maintenance window can be adjusted to another preferred time covered by your SLA.

If the requested timeframe is not covered by your current SLA, an SLA upgrade (or a separate agreement) is required to support that window.

How do notifications work?

By default, Patch Management is fully automated, and notifications are handled internally:

Our monitoring platform is informed so maintenance suppression is applied during patching.
Our team receives alerts from both the automation process and monitored systems if anything fails or behaves unexpectedly.

Customer notifications are optional and can be enabled on request (e.g., pre/post email summary or ticket updates).

Do you take snapshots/backups before patching?

Before enabling Patch Management, we validate that a functional backup process is in place for the systems in scope.

Depending on platform and agreed setup, this may include backups and/or snapshots.

How do I enable/disable later?

You can enable, disable, or adjust scope at any time by:

emailing help@spearhead.systems, or
opening a ticket via the Spearhead Help Center portal.

Please include the systems (hostnames/FQDNs) and any include/exclude lists or preferred maintenance window.

Contact details

Please contact Spearhead Help Center to obtain more details about enabling, disabling or changing custom windows for your patch management process.

Email: help@spearhead.systems.

Portal: https://help.my.spearhead.systems/