EOL for Beginners

The day after EOL —
what actually happens when support ends.

Published 2026-07-08 · 9 min read · endoflife.ai Research

Here's the anticlimax nobody warns you about: the day your software reaches end of life, nothing happens. No alert fires. Nothing crashes. The application serves traffic exactly as it did yesterday. And that silence is precisely the problem — because while nothing visible changed, three invisible things did, and they compound from that day forward. This guide walks the real timeline: day zero, the first months, the first year, and the long decay — plus the exits available at each stage.

Day zero: what stops, what starts

End of life is a change in obligations, not in behavior. On the published date — and it is published, usually years ahead — the maintainer's commitments end:

And one thing starts: you became the maintainer. Not by choice — by default. Every risk the vendor used to absorb is now yours to absorb, mitigate, or knowingly accept.

The first months: the quiet accumulation

The early period feels safe, and mostly is. But two curves start moving:

The vulnerability backlog opens. The version that shares the most code with yours — the successor — keeps getting patches. Each one is a public signpost: attackers routinely read new patches in supported lines and check whether the same flaw exists, unfixed, in the EOL line. Your exposure grows with every advisory that ships for everyone else. As we covered in What is a CVE?, your own advisory feed going quiet is not reassurance — researchers stopped looking, not attackers.

The version gap widens. Every month you don't migrate, the migration gets slightly harder — the successor version moves further ahead, and the documented upgrade paths assume you start from a supported baseline. Migration difficulty compounds like interest, which is why the cheapest migration you'll ever do is the one you start now.

The first year: the ecosystem moves on without you

Around the one-year mark, the pain stops being theoretical:

Years past: the frozen stack

This is the state most of the internet's quiet disasters share. The EOL component has pinned its whole neighborhood: the runtime beneath it, the libraries around it, the OS under all of it — each frozen at the last mutually compatible moment, each accumulating its own permanent CVEs. Struts stayed famous because Equifax ran a two-month-old known flaw; the systems that scare security teams are running eight-year-old known flaws, wrapped in enough layers that nobody's sure what's inside anymore. (Our new-page research keeps finding them: dom4j 1.6.1 from 2005, H2 1.4, YUI — a decade past its explicit shutdown — all still widely deployed.)

At this stage the honest framing changes: this is no longer "deferred maintenance." It's an unpriced liability sitting on the balance sheet, growing at the rate of public vulnerability research.

The compliance clock (it ticks faster)

For regulated businesses, the auditor usually arrives before the attacker. Frameworks that assess you — PCI DSS for payment card handling, SOC 2, HIPAA's security rule, ISO 27001, and cyber-insurance questionnaires — converge on the same expectations: software must be vendor-supported and receiving security patches, and known vulnerabilities must be remediated on defined timelines. EOL software fails both by definition: it is unsupported and carries unremediable findings.

Where it actually bites
Failed audit findings, conditioned certifications, cyber-insurance exclusions or premium hikes, and — in a breach — the post-incident report noting the exploited component was publicly EOL, with the date on record. "We knew and accepted the risk" reads very differently from "we didn't know."

Your four exits, ranked by when to take them

Every EOL situation resolves through one of four doors:

The door you can't pick is the one most organizations end up in: door five, unmanaged drift — where nobody decided anything and the day after EOL quietly became year six. The difference between doors four and five is a decision, written down.

The whole game is knowing the dates before they arrive. Check any product in seconds with the EOL Checker, browse published windows for 479 products in the catalog, or start at the beginning with the beginner's guide to EOL software — because every timeline in this article starts sooner, and ends better, when day zero doesn't come as a surprise.

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.