CISA's Edge Device Deadline Hit Monday and Most Businesses Still Can't Tell You What's on Their Network
Monday came and went. Federal agencies had 90 days to catalog every end-of-support firewall, router, VPN gateway, and switch on their networks under CISA's Binding Operational Directive 26-02. The deadline was May 5, 2026.
Here's the part that matters to you: CISA, the FBI, and the UK's NCSC all explicitly recommend that every organization -- not just federal agencies -- follow the same guidance. And the insurance claims data explains why.
The numbers are worse than you think
The Verizon 2025 DBIR tracked an eightfold increase in edge device exploitation in a single year. Firewalls, VPNs, and routers jumped from 3% to 22% of all vulnerability exploitation breaches. That's not a blip. That's a strategic shift by attackers toward the devices you're least likely to be watching.
VulnCheck identified 191 known-exploited vulnerabilities targeting network edge devices in 2025, making them the most targeted technology category. 42.5% of those exploited vulnerabilities affected end-of-life or likely end-of-life devices. Equipment that vendors stopped patching years ago.
The remediation numbers are grim. Only 54% of edge device vulnerabilities were fully patched over the course of the year, with a median time to patch of 32 days. Nearly one in three remain completely unpatched despite being on known-exploited lists. And 29% of those vulnerabilities were exploited on or before the day they were publicly disclosed.
The patch window hasn't shrunk. It's collapsed.
You can't install endpoint protection on a firewall
This is the structural problem the industry created for itself. Over the past decade, endpoint security got genuinely good. Workstations and servers got detection agents, multi-factor authentication, application allowlisting. Attackers noticed. They moved to the devices that sit at the network perimeter with the highest access and the least instrumentation.
Your firewall doesn't run an endpoint agent. Your VPN concentrator doesn't have behavioral detection. Your managed switch from 2018 stopped getting firmware updates two years ago, and nobody flagged it because nobody was tracking the lifecycle.
BakerHostetler's 2026 incident response report, drawn from over 1,250 cases, found unpatched vulnerabilities were the second leading cause of network intrusions at 21%. In 34% of cases, the root cause was never identified at all. That's not a patching failure. That's a visibility failure.
Insurance carriers already figured this out
Cyber insurers are pricing edge device risk into policies right now. One major carrier's claims data shows organizations running certain on-premises VPN appliances were 6.8 times more likely to be attacked than businesses without a VPN detected on their network. Remote access tool compromise accounted for 80% of initial access vectors in direct ransomware attacks.
Another carrier's claims report confirms 59% of ransomware incidents where forensics identified a specific technology involved a VPN appliance.
A single ransomware group drove a 53% increase in ransomware frequency in the second half of 2025, and 86% of their attacks occurred in environments with a specific vendor's edge device present. Average ransom demand from that group: $1.2 million, 50% above the average.
These aren't security vendor scare stories. These are insurance companies looking at actual claims payouts and telling their customers to get off legacy edge hardware entirely.
What BOD 26-02 actually requires
Most coverage focused on Monday's inventory deadline. That's the easy part. Here's the full timeline:
May 5, 2026 -- Inventory all end-of-support edge devices on CISA's published list. This deadline just passed.
February 5, 2027 -- Replace or update all devices on CISA's list. Nine months from now.
August 5, 2027 -- Replace or update all unsupported edge devices, whether they're on the list or not. This is where it gets real for organizations that don't have a complete inventory.
February 5, 2028 -- Continuous discovery mechanism must be operational. Not a quarterly spreadsheet. Not an annual audit. A continuous, automated process that identifies every edge device on the network and flags lifecycle status.
That last requirement is the one Federal News Network called "the real shift" in BOD 26-02. Periodic inventory sweeps aren't enough. The directive demands ongoing, automated awareness of what's on the network and when it ages out of support.
The mid-market gap
Federal agencies have compliance deadlines and oversight. Mid-market businesses have neither. They have the same aging infrastructure, the same untracked lifecycle dates, the same VPN concentrators that stopped getting patches. But nobody is making them inventory anything.
43% of small businesses were targeted by cyberattacks in 2025. Most don't have dedicated security teams. Many don't have a complete list of their own network equipment, let alone a system that knows when each device hits end-of-support.
The FBI issued a flash bulletin this year warning that criminals are actively exploiting end-of-life routers to build botnets and sell proxy access. Not future-tense. Present-tense. Devices from the late 2000s and early 2010s that small businesses still run because nobody told them to stop.
Meanwhile, state-aligned groups have been running multi-year campaigns against edge devices at scale. One documented campaign breached over 600 organizations across 80 countries by targeting end-of-life network equipment. Another specifically targets small office routers for pre-positioning against critical infrastructure.
What "continuous discovery" actually looks like
BOD 26-02 prescribes what LTFI's security assessment platform and managed infrastructure already deliver: lifecycle-aware asset management where someone is actually tracking expiration dates.
LTFI's platform orchestrates 500+ security tools across 25+ AI-powered assessment agents. That includes the kind of continuous network discovery BOD 26-02 demands -- automated identification of edge devices, lifecycle status tracking, and flagging equipment before it falls out of vendor support. Not once a quarter. Continuously.
Every client deployment runs on dedicated, isolated infrastructure. Hardened servers with automated patching, default-deny firewall policies, and continuous monitoring. The kind of environment where an aging VPN appliance gets caught and replaced, not forgotten in a closet until an attacker finds it first.
The directive exists because the federal government realized it couldn't protect networks it couldn't see. The same logic applies to yours.
If you don't know what's on your network edge right now -- and when each device stops getting security updates -- you're operating with the same blind spot CISA just told every federal agency to fix.