When CVE-2026-35616, a zero-day in Fortinet FortiClient EMS, was identified as being actively exploited in the wild over the 2026 Easter weekend, the need for mitigation became vital.
The scenario was uncomfortable – a holiday weekend meant that most enterprise security teams were offline, change control boards were not convened, and patch testing cycles were not accelerated. The attackers exploiting this zero-day knew this and deliberately took advantage of it.
This is the current structural reality of enterprise security. Exploitation timelines have compressed to hours, but remediation timelines – still bound by physics – have not. The gap between “exploitation is underway” and “patch is deployed across all affected instances” is routinely measured in days, sometimes weeks, across organizations of every size and maturity.
For internet-facing Fortinet FortiClient EMS deployments over the 2026 Easter weekend, attackers knew they had days before any response would be enacted.
Why Patching Faster Is Not the Answer
Security teams are told, implicitly and explicitly, that the solution to fast exploitation is faster patching. The advice is reasonable in theory but consistently less-than-perfect in practice across most enterprise environments.
Reality is never so simple:
- Patches require testing.
- Patches require change control approval and deployment windows that do not conflict with production operations.
- In organizations running critical infrastructure or regulated systems, a patch that has not been validated against the production environment carries its own risk.
These processes exist for sound operational reasons, and cannot be compressed to match the speed at which a threat actor sends a crafted HTTP request to an exposed appliance for truly logical reasons.
When a zero-day is exploited over a holiday weekend, “patch faster” is not an instruction that maps onto how enterprise environments actually operate. Organizations need something that functions inside the gap between exploitation and remediation, not something that assumes the gap can be closed instantly.
What the watchTowr Platform’s Rapid Reaction Capability Actually Does
Before mitigation is possible, exposure has to be confirmed. Knowing a vulnerability exists in a product is not the same as knowing which instances in a given environment are actually affected and reachable from the internet, and the difference between those two states is where response either succeeds or falls apart. Attackers already know which instances are exposed. Security teams, without active validation, often do not.
When CVE-2026-35616 was disclosed, the watchTowr Platform’s Rapid Reaction capability executed across client environments, identifying and validating exposure against affected FortiClient EMS deployments. Security teams did not return on Tuesday to an open question about whether they were exposed. That question had been answered, with evidence, while the weekend was still underway.
The watchTowr Platform’s Rapid Reaction capability does not alert teams to the existence of a vulnerability and leave identification as a follow-on task. It validates actual exposure in the actual environment, so that when a team returns to address a zero-day that has been actively exploited over a holiday weekend, triage is already complete and response can begin from a grounded position rather than a standing start.
What the watchTowr Platform’s Active Defense Capability Actually Does
Validated exposure without mitigation still leaves an environment open to the same attackers who have been working it all weekend. Between a confirmed affected instance and an applied patch, the window of exploitability remains, and in a holiday weekend scenario, that window stretches across days by design.
The watchTowr Platform’s Active Defense capability addresses that window directly. For CVE-2026-35616, Active Defense deployed network-level mitigation rules into client environments where autonomous mitigation was configured, without requiring manual intervention from security teams that were offline. For clients not configured for autonomous mitigation, mitigation rules were made available for immediate manual application on return.
These rules operate at the network edge, reducing the exploitability of the specific vulnerability in question and serving as a temporary control while the permanent remediation process runs its normal course. Active Defense does not replace patching, and it does not render an environment invulnerable. What it does is change the position an organization is in when teams come back online: not exposed and unmitigated, but contained and ready to patch with full awareness of where the risk sits.
Mitigation Is For Buying Time
Security operations exist in real time, with real constraints. Attackers are deliberate about exploiting those constraints, and the gap they create between exploitation and response is not going away. The organizations best positioned to manage it are not the ones that somehow compress enterprise change control to match the speed of in-the-wild exploitation. They are the ones that have something in place inside the gap, something that confirms exposure immediately and applies mitigation without waiting for a team to return from the Easter table.
When teams return on Tuesday, the posture they adopt depends entirely on what happened over the weekend. Patching from a known, mitigated position, with exposure already validated and affected instances already scoped, is a managed remediation. Discovering an actively exploited zero-day with no mitigation applied and no picture of which instances were affected is an incident. The difference between those two outcomes is not faster patching. It is what happened during the gap.
By combining Proactive Threat Intelligence and External Attack Surface Management, the watchTowr Platform gives organizations the time they need to respond properly, before unmitigated exposure becomes an incident.
- Rapid Reaction identifies and validates the exposure while teams are still offline.
- Active Defense contains it.
This is Preemptive Exposure Management in practice.
When exploitation happens in hours, watchTowr delivers what no one else can: time to respond.
Learn how the watchTowr Platform helps organizations outpace attackers and gain time to respond.
