The Patchwork Dilemma: Why the Cycle of Reactive Security Must End

At Coalition, we often speak about our mission of “protecting the unprotected." Usually, that means defending against external adversaries. But lately, a more frustrating trend has emerged: defending policyholders against risks introduced by the very tools they’ve purchased to protect themselves.

Recently, Coalition issued a Zero-Day Alert (ZDA) for CVE-2026-24858, a critical vulnerability in Fortinet technologies. For those keeping score, this was the third notification for Fortinet SSO authentication bugs in less than two months. It followed a cycle of initial disclosure, an update that devices were still being attacked and requiring additional guidance, and finally, a new fix.

This isn’t just a bad week for a vendor. It’s a symptom of a systemic failure in the legacy hardware security market — and it’s time for a candid conversation about the risks we choose to accept.

The Math of Managed Risk

At Coalition, the bar for a ZDA is intentionally high. We’re careful to limit alert fatigue: In fact, 90% of our policyholders didn't receive a single ZDA last year. We focus on remotely exploitable vulnerabilities that require no authentication and can have catastrophic consequences like remote code execution (RCE) or data exfiltration and are usually able to limit our ZDAs to only policyholders we know are vulnerable.

Despite this high threshold, a disproportionate amount of our emergency outreach centers on a single category: legacy security appliances.

• More than 7% of all ZDAs sent by Coalition (across every vendor and product globally) have been for Fortinet products.

• The majority of these are reported by the US Cybersecurity and Infrastructure Security Agency (CISA) as being exploited in the wild.

• This marks the 14th time in less than four years we have had to mobilize our policyholders to patch a critical Fortinet flaw.

When the same "side doors" (like CWE-288) and memory-safety issues continue to appear in a codebase, it validates a long-standing pattern of prioritizing convenience, feature development, and revenue over fundamental security.

More than 7% of all ZDAs sent by Coalition have been for Fortinet products.

Beyond 'Hug-Ops': A Call for Accountability

In the tech industry, we often practice "hug-ops,” extending empathy to the engineers in the trenches during a crisis. We’ve all been there, but empathy for individuals shouldn’t be confused with an excuse for operational complacency.

When a vendor signs the Secure by Design pledge, there’s an expectation of a roadmap toward meaningful improvement. For example, migrating to memory-safe languages, like Rust or Go vs. C/C++, can measurably improve exploitable vulnerabilities. There’s an expectation that internally discovered vulnerabilities will be fully addressed before a patch is released, preventing the same authentication bypass from being weaponized by threat actors who likely wouldn’t have even known about it were it not for the botched patch. 

When the market rewards vendor failures with rising stock prices and increased sales, the incentive to fix the underlying technical debt vanishes.

Choosing Resilience Over Convenience

The data from our Get That Off The Internet! guide is clear: Businesses running legacy SSL VPNs are 3 to 4 times more likely to experience a claim. While risk management is never about absolutes, this level of exposure has moved beyond a theoretical threat to a statistical near-certainty.

We’re calling on our partners, policyholders, and the broader cybersecurity community to move beyond accepting preventable failures. Here’s how we can move forward:

1. Demand Secure by Design: Prioritize vendors that demonstrate a rigorous commitment to modern, memory-safe architectures rather than those that perpetually patch legacy codebases.

2. Shift to ZTNA: The era of the legacy SSL VPN is closing. Moving to Zero Trust Network Access (ZTNA) solutions can significantly reduce the attack surface that these appliances leave exposed.

3. Deploy Active Monitoring: Implementing a robust managed detection and response (MDR) solution can provide the critical safety net needed when a perimeter device is compromised.

Businesses running legacy SSL VPNs are 3 to 4 times more likely to experience a claim.

Our Commitment

Coalition isn’t interested in simply managing the fallout of preventable failures. We’re here to help reduce risk. This means being honest about which products can be liabilities for our customers.

As we move forward, we’ll continue to use our data to identify high-risk technologies and will be increasingly direct about how certain "security" products may impact a business’ overall risk profile and help policyholders make informed decisions to remain resilient.

LIGHTING-FAST SPEED. LASER PRECISION.

Automated Threat Detection & Response 

See how Wirespeed MDR® can stop threats in seconds >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional services are required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. The reader is cautioned to consult independent professional advisors and formulate independent conclusions and opinions regarding the subject matter discussed herein. Coalition makes no representations as to the accuracy or completeness of this content. Any action taken based on this information is at the sole discretion and risk of the reader. Coalition and its affiliates expressly disclaim any liability for losses or damages resulting from the use of or reliance on this information, which is used strictly at the reader’s own risk. This blog post may include links to other third-party websites. These links are provided as a convenience only. 

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc. All other products and company names are the intellectual property of their respective brand owners.