How a Federal Agency Reduced Costs and Improved Security by Rethinking Third-Party Application Patching

Outcomes

For too long, customers have been stuck with expensive, underwhelming options for third-party application patching. InSequence PackageForge® breaks that cycle, delivering patching the way it should have always been done.

Results at one Federal Agency demonstrate what’s possible:

• Outcome 1 – Reduced FTE Costs
  • Achieved a 40% cost savings compared to traditional staffing models.
  • Scales seamlessly to meet demand, delivering repeatable outcomes without additional headcount.

• Outcome 2 – Fast Response
  • Delivered 1,522 packaged applications in under six months.
  • Averaged 80 applications per two-week sprint with a peak of 185 applications in a single sprint.

• Outcome 3 – Improved Security
  • Uses a proactive approach that anticipates patches before they become risks.
  • Meets predictable delivery SLAs through proactive patching aligned to security requirements.

Challenge: The Hidden Costs of Application Patching

Across industry, application packaging is expensive, reactive, duplicative, and slow to scale due to four core challenges:

Labor

Third Party Patching labor is expensive, reactive, duplicative, and slow to scale.

While deployment tools such as MECM (SCCM), Intune, and Tanium are powerful, the creation and packaging of applications remains manual and labor-intensive. Organizations spend thousands of labor hours each year packaging and patching common third-party software — from Adobe to Zoom — relying on highly paid FTEs or contractors.

Even with automation tools in place, labor resources are consumed by repetitive and reactive tasks, including:

• Patch Response Prep
  • Reviewing Vulnerability Reports
  • Researching Vendor Websites
  • Retrieving & Validating Installer Files
• Patch Response Execution
  • Scripting to Automate Install of Patches
  • Orchestration of Patch Deployment
  • Validating Results

These activities are frequently duplicated across teams, systems, and locations. Each silo maintains its own staff, compounding inefficiencies.

And because delivery is manual, scaling service levels depends entirely on human resourcing and onboarding cycles, not technology.

Reaction Time

For hackers, the stopwatch starts the moment a vulnerability is disclosed. For most enterprises, the clock doesn’t begin until days later — once vulnerability reports are routed to system owners.

By the time human analysts review reports, identify needed patches, retrieve installers, and prepare automation, valuable days have already passed — with adversaries enjoying a head start.

Technology Limitations

Industry-leading platforms such as MECM, Intune, and Tanium are excellent deployment engines but lack the packaged content and intelligence required to act quickly. They don’t inherently know which patch or version is the latest. A human must still:

• Review vulnerability reports and determine required patches

• Create the automated installation package

• Script deployment and uninstall routines

• Validate functionality and compatibility against OS baselines and cybersecurity policies

When done manually, this takes time, labor, and introduces risk.

The Cost of the Status Quo:

Labor, reaction time, and the potential for failure all rise with every handoff and shared responsibility in the patching process. Each manual step adds cost, delays remediation, and compounds risk. The result is a patching model that is expensive, reactive, and unsustainable — making third-party patching one of IT’s most costly hidden risks, and a problem that demands a new approach.

Outcomes Delivered By PackageForge®

As part of a digital modernization effort, a Federal Agency outsources application packaging and patching to InSequence’s PackageForge® managed service. The Agency was facing a major OS upgrade and didn’t have the staffing or computing resources to handle the challenge themselves.

InSequence proposed PackageForge® in a firm fixed price model where the customer paid for a set number of application packages. Using a NIST compliant environment, PackageForge® delivered thoroughly tested updated application packages to the customer thru a series of 2 week sprints over the course of 6 months. According to the customer:

“What began as a tactical outsourcing initiative quickly became a strategic collaboration.”

The results seen by the customer were dramatic and quantifiable:

• Savings: 40% cost savings compared to traditional staffing models

• Readiness: 100% of end of life applications retired

• Volume: 1,522 applications packaged in under 6 months

• Response Time:
  • 80 applications delivered on average per two-week sprint
  • 185 applications delivered at peak in a single sprint

• Quality
  • 100% of packages included uninstall scripts and definition files
  • 100% of packages aligned to industry best practices and standards
  • 100% of packages reviewed and tested for security and functionality

PackageForge® achieved high-throughput and enabled the agency to successfully meet its Windows OS migration timeline while ensuring that every application was reviewed, tested, and validated against security baselines and policy requirements.

For this case study, PackageForge® team members delivered the final packages into the customer’s MECM environment, where the customer MECM team took over deployment.

How PackageForge® is Different:

PackageForge® proactively monitors vendors for updated applications, and removes the handoffs between the many roles involved in vulnerability management. PackageForge® takes ownership of the whole process, with one underlying goal: quickly delivering the latest updates to drive down response time.

1. PackageForge® proactively monitors applciations for updates.
2. PackageForge® handles acquiring and validating binaries from vendors.
3. PackageForge® builds automated deployment packages.
4. PackageForge® delivers the automated packages into the customer patch delivery tooling.
5. Optionally, PackageForge® onsite integration specialists orchestrate the deployment of patches to endpoints.

Conclusion: Time to Rethink Patching

Government agencies don’t need to build massive internal teams to package Zoom updates or Adobe Reader patches. Instead, they can adopt a scalable, secure, and proven approach that gets them out of the packaging business and back to mission-critical work.

PackageForge® Reimagines Application Patching:

• Proactive Patch Anticipation
• Surge to Meet Demand
• Volume Discounts
• Pay As You Go Pricing
• Exceeds NIST Compliance Requirements
• Adherence to Best Practices

Want to Learn More?

InSequence’s team members have over 80 years of collective packaging experience. Our team thrives supporting customers with demanding Missions and pressing deadlines.

InSequence’s PackageForge® is available today for federal agencies via our GSA MAS contract vehicle. Contact us to discuss how to integrate this service into your patch management lifecycle.