I have spent a large part of my career working in environments that claimed to be air gapped.
Some actually were.
Most were not.
Outside of purpose built military or lab grade isolation, I have never seen a production enterprise network that was truly air gapped in both design and practice. What I see instead is something far more common and far more dangerous: a faux gap, sustained by process, habit, and belief.
And that belief usually sounds like this:
“We don’t need automated patching. The system is air gapped.”
That assumption is not just wrong. In most environments, it actively increases risk.
What a Real Air Gap Actually Requires
A true air gap is not just the absence of internet access. It requires many controls that the failure of any one of them singularly degrades the effect of all others.
Minimum requirements:
- Fully static systems.
- No dual homed endpoints.
- No laptops moving in and out.
- No shared admin credentials.
- No removable media without chain of custody.
- No convenience exceptions.
- Continuous enforcement and auditing.
- A boatload of policies with real consequences.
- A plan to investigate, resolve, and even do DR on the whole system for any incident that cannot be 100% completely profiled.
Maintaining this is expensive, operationally painful, and culturally unpopular.
The few teams who do it correctly know exactly how much work it is. Everyone else has something that looks like an air gap on a diagram and behaves like a connected network in practice.
If your environment has mobile devices, shared admin workstations, temporary connections, vendor access, or manual update processes, you do not have an air gap. You have a delay.
The Dangerous Comfort of Manual WSUS Sync
WSUS persists in these environments because it feels controlled. And as such it is often cited as contractually required, this in and of itself has no choiuce to evolve, we can defer it to the next admin, but the end of WSUS is coming, there is no denying that, it is only a question of when. Microsoft is not building an alternative in this arena, and eventually it will slip into obsolescence. It is unreasonable to believe there is enough market for a new product to thrive in this space, best chance is we will get offline adaptations of existing systems.
Manual synchronization, offline updates, and staged imports give teams the sense that nothing untrusted ever touches production. On paper, this looks cautious, but that security only exist on paper in almost all cases.
In reality, it creates a multistage, human dependent supply chain that is easier to influence, harder to audit, and slower to react.
A typical manual WSUS process introduces:
- Removable media handling.
- Multiple trust transitions.
- Delayed validation.
- Limited cryptographic verification.
- Minimal continuous monitoring.
- Poor auditability.
Every handoff is an opportunity. Every delay is exposure. Every step is a weakness, and every delay is a strategic advantage to the bad guys.
Ironically, the more manual the process becomes, the more places exist for tampering, error, or compromise.
Proxy Based SaaS vs Manual Sync: A Reality Check
Let’s compare the two threat models on level ground.
Monitored SaaS patching through a proxy
Pros
- Encrypted transport.
- Certificate validation.
- Defined and documented endpoints.
- Continuous delivery.
- Automated verification.
- Full audit trails.
- Immediate revocation and response.
Cons
- Requires trust in the vendor.
- Requires connectivity.
Manual WSUS sync and offline workflows
Pros
- Feels isolated.
- Satisfies checkbox interpretations of air gap requirements.
Cons
- Multiple manual steps.
- Human error dependency.
- Weak or inconsistent validation.
- Media based attack vectors.
- Poor visibility.
- Delayed remediation.
- Difficult to audit end to end.
The idea that an attacker could compromise a tightly monitored, encrypted SaaS delivery channel, yet somehow be unable to interfere with a manual, multi step, largely unmonitored process is not just unrealistically optimistic. It is backwards.
From a pure risk perspective, the manual path is easier to influence and harder to defend. The value air-gaps once had is largely negated by modern security concerns and practices. Think about this, the US and Israel released a cyberweapon in 2010, you may have heard of it, called stuxnet. With a singular purpose to hunt down, locate, infiltrate, infect and destroy uranium enrichment centrifuges in a bunker in nowhere Iran. Yes it was completely “Air-Gapped”. No Ai, purely autonomous, and yes, it found its target / did its job. So it sat patiently, waited, learned, evaded, and made its own way. To think the same minds that created that could not actively engage a target with far deadlier targeted results, its just lunacy. Modern APTs have as advanced capabilities if not more than at that time, and many of those are in fact state sponsored.
Faux Gaps Are Worse Than No Gap
The most dangerous environments are not connected ones. They are environments that believe they are isolated when they are not. This creates the sorts of dark corners that trouble breeds in.
If systems are patched infrequently because they are “offline,” vulnerabilities age.
If updates are delayed for process reasons, exposure accumulates.
If visibility is limited, detection lags, this one especially, if data is not moving in and out of this system, neither is automated validation, and
Attackers do not need real time access. They need time and neglect.
And faux gaps provide both.
When Air Gaps Are Contractual, Not Practical
There are cases where air gaps are mandated. Regulatory, contractual, or legacy requirements still exist, and I have worked in many of them.
What I have seen far more often than true isolation is compliance theater. Controls checked, diagrams approved, and practices drifting further from the intent of the requirement every year.
If you must maintain an air gapped environment, do it honestly. That means acknowledging the cost, enforcing the discipline, and accepting the operational trade-offs. Your choices are “Do it correctly”, “Don’t do it”, or “Do it in a manner that looks good enough to satisfy an audit.”. If you are doing the last one, you are lying to yourself and to the other party in that contract. Neither ends well.
Invest to do it correctly, if you cannot, then pretending your network is isolated does not make it safer. It just makes risk harder to see. And while you may hide that from a compliance auditor, it will not pass the audit that matters, the one where the threat actor pulls all stops, unencumbered by morality and consequence, you will receive the one audit you will never forget.
Modern Security Is Not About Hiding
Security today is not about hiding vulnerabilities behind process or distance.
It is about:
- Knowing where you are exposed.
- Reducing time to remediation.
- Eliminating manual failure points.
- Auditing continuously.
- Designing for compromise, not denial
Reliable, automated, auditable patching reduces risk more effectively than most imagined air gaps ever do.
If you take away anything:
Silence is not safety. Distance is not protection. And neglect is not control. Judge your controls on their efficacy, not the perception of a desired outcome.
