Compensating controls are alternative safeguards used when the preferred security measure is unavailable or impractical. If a system cannot be patched quickly, defenders add layers such as network segmentation, stricter access control, application allowlisting, enhanced logging, or continuous monitoring to reduce exposure. These measures do not remove the vulnerability, but they lower the chance that it can be reached or abused.
They matter because many real-world environments cannot be updated on demand: legacy servers, regulated workloads, specialized hardware, and long change-control cycles all delay patching. Attackers often target those gaps, knowing an unpatched flaw may persist for months. In defense, compensating controls help contain the blast radius by limiting lateral movement, spotting suspicious behavior, and buying time until a proper fix or replacement is possible. They work best as part of a documented risk plan, not as a permanent substitute for patching.