Every security leader says patching is critical and Cisco Identity Services Engine is not exempt!
Then reality intervenes.
Change windows are hard to secure. Validation is hard to coordinate. Dependencies hide in corners nobody has documented in years. So patching becomes a major project, and major projects get delayed. By the time patching happens, risk has already accumulated.
Most ISE environments are still operated with a model that treats upgrades and patching as exceptional events.
That model creates predictable challenges:
Solving these challenges becomes expensive. When it becomes expensive, it becomes infrequent. When it becomes infrequent, security and reliability debt compound together. When a new software patch release lands, many teams need to stand up a temporary project structure just to execute what should be routine lifecycle work.
That is the core operating-model gap ModernISE Platform (ModernCyber's ISE as a Service / Managed ISE) is designed to close. The objective is not simply "apply patch faster." The objective is to make lifecycle changes repeatable, controlled, and less disruptive over time.
Patching ISE is not a simple operation. Done correctly, it looks like this.
That is the standard. Appropriate for a platform that controls network access. Also a significant operational investment — every single cycle.
Cisco released three cumulative patches for ISE 3.5 between December 2025 and April 2026.
Patch 1 shipped December 15, 2025, introducing OAuth for SMTP, OIDC authentication for guest portals, posture grace period settings, and USB disk encryption conditions for Secure Client.
Patch 2 shipped February 26, 2026 targeting bug fixes from Patch 1 including the Live Logs issue.
Patch 3 shipped April 13, 2026, delivering continuous posture reassessment, TC-NAC high availability, OAuth 2.0 for MDM vendors, FQDN-to-SGT mapping, SGACL syntax validation, HTTP 2.0 for the API gateway, Windows Server 2025 Active Directory support, and a security hardening update for RADIUS response packets.
That's three patches in seven months. Each one requiring the same planning, coordination, and execution discipline.
ModernISE Platform frame patching as part of ongoing service delivery:
This makes patching less dependent on heroics and standardizes how maintenance activities.
When Cisco releases a patch, ModernCyber's ISE Experts will typically have it tested within the same day to assess it for stability, reliability, and feasibility. When it is time to execute, we handle it transparently to the service and with zero downtime — sequencing, backups, verification, and post-install checks on every node. How, you might think?
"Cattle not pets" Microsoft Engineer Bill Baker used it during a discussion about SQL deployments to explain how server treatment changed over time. For many organizations, they treat Cisco ISE Deployments as "pets", servers get unique names and special treatment. When they’re “sick,” they’re carefully nursed back to health, often with a significant time and financial investment. When they require an update (IE Software patch or upgrade), you want to put due care to ensure they remain healthy after the change. With "cattle", individual servers are part of an identical group. Numbers, not names, identify them, and they receive no special treatment. When something goes wrong, the server is replaced, not repaired in place.
For all ISE software maintenance, we leverage blue/green deployment strategy to re-deploy the entire ISE deployment, test & validate, move traffic over to the green deployment and verify users are still authenticating. If a problem arises, we simply can fallback to the previous deployment.
The result is that your ISE stays current without patching becoming a project or worry. Patch 2 is a useful example — no new features, pure bug fixes, the kind of release that gets deferred under a traditional model because the operational cost outweighs the perceived urgency. Under ModernISE, it gets applied on schedule. That is what patching looks like when it is part of the service. Not faster patching — different patching. A model where staying current is the default state, not the outcome of a project. Over time, the model compounds: better cadence for staying current, lower operational drag per cycle, fewer brittle dependencies discovered at the last minute, more predictable stakeholder communication, and stronger confidence during change windows.
If you are evaluating your current model, ask these questions:
Most teams discover the same pattern: technology is not the bottleneck, operating model is.
If Patch 3 planning feels heavier than it should, reach out to learn more and schedule a ModernISE Platform Test Drive to see how you can skip the Infrastructure & Software Management!