Cisco Live Protect

Reduce vulnerability exposure on Cisco infrastructure before the next patch window

Closing the vulnerability gap during patch cycles is essential for maintaining resilient infrastructure. Learn how Cisco provides validated runtime protections to help teams mitigate vulnerability exposure, ensuring service continuity while they prepare and deploy permanent software fixes.

What this means for you

Live Protect is designed to addresses the operational gap between disclosure and patch completion. It enables teams to reduce risk earlier, while maintaining Cisco infrastructure operations and completing permanent remediation through normal patch and change-control processes.

Reduce exposure

Reduce exposure before patching with validated runtime protections for supported Cisco products.

Continue operations

Apply a shield and continue operations, no reboot is required during the protection action.

Govern the lifecycle

Govern the Shield lifecycle through integrated workflows: monitor, enforce, disable, and retirement.

Note: Live Protect is designed to support—not replace—your existing patching strategy. We recommend that you continue your standard software maintenance and deploy permanent patches as soon as they are available to ensure long-term system integrity.

Reduce the time infrastructure stays exposed

Attackers are moving faster from vulnerability disclosure to exploit attempts. At the same time, critical network and security infrastructure cannot always be patched immediately without business risk.

Live Protect gives operators another option. When Cisco validates runtime protection for a supported platform, release, policy, and mode, teams can reduce exposure while they complete the permanent software fix. The value is not avoiding patches. The value is reducing exposure days while patching moves through the right operational process.

From advisory to protection to patch

Live Protect uses Cisco-provided policies to address vulnerabilities on supported Cisco products. Teams can begin in monitor mode to assess potential impact before transitioning to enforcement, helping ensure security measures align with existing operational workflows.

Cisco validates Vulnerability Shields through the appropriate product, PSIRT, Talos, engineering, and support workflows before customer guidance is published.

These policies serve as temporary compensatory controls. Once a permanent software fix is applied, teams should disable or retire the policy, following Cisco-provided retirement guidance to ensure ongoing system integrity 

Lifecycle view

Advisory

Critical vulnerability guidance identifies exposure and fixed-software path.

Validated policy

Cisco validates whether a supported Vulnerability Shield can reduce exposure.

Monitor or enforce

Teams observe impact and apply enforcement where supported and appropriate.

Patch and retire

Teams deploy the permanent fix and retire the temporary protection when no longer needed.

Understanding the scope of Live Protect

Live Protect is

  1. Runtime protection for supported Cisco products and releases.
  2. A compensating control that can reduce exposure before patching.
  3. Cisco-provided, Cisco-validated protection tied to supported policy, mode, and lifecycle behavior.
  4. A way to help protect supported Cisco products that run critical network and security functions.

Live Protect is not

  1. A substitute for permanent software remediation or patching.
  2. A universal solution for every vulnerability type.                               
  3. A generic tool for third-party workload or application protection.                              
  4. A universally available feature across the entire Cisco portfolio.                              

Frequently asked questions

Does Live Protect replace patching?

No. Live Protect is a compensating control designed to mitigate risk during the interim period between vulnerability disclosure and remediation. Customers should continue to prioritize regular software maintenance and deploy permanent patches or fixed software releases.

Is every vulnerability eligible for Live Protect?

No. Shield availability is determined by a range of factors, including the nature of the vulnerability, exploit characteristics, supported platform, software release, policy, mode, and Cisco validation status.

What is a Vulnerability Shield?

A Vulnerability Shield is a Live Protect policy for a selected, validated vulnerability condition.  These shields are intended as temporary measures and should be decommissioned once a permanent software fix is applied.

Can customers monitor before enforcing?

Where supported, yes. Monitor mode records matching events without active enforcement,  enabling an assessment of potential operational impact before transitioning to a full enforcement policy.

What products support Live Protect?

Availability is specific to the supported Cisco product, software release, policy, mode, delivery path, management surface, and lifecycle support.  We recommend that customers consult Cisco security advisories and product documentation to identify the specific protections available for their infrastructure. Read below for the latest information on supported products.

Supported Live Protect products

Coming soon across the Cisco portfolio.

Stay current on Cisco security guidance

Stay current on Cisco security advisories, product security guidance, and lifecycle notices so your teams can act quickly when new guidance is released.

Live Protect availability and behavior vary by supported Cisco product platform, software release, policy, mode, delivery path, management surface, and lifecycle support. Live Protect does not replace permanent patches or fixed software releases. Customers should follow applicable Cisco security advisories, product documentation, and support guidance.