Metrics & Reporting Executive Communication

Mean Time to Remediate: The Metric Your CISO Asks For, And Why It's Not Enough

March 7, 2026·7 min read·Chris Boker
Vulnerability metrics dashboard

Mean Time to Remediate (MTTR) is the vulnerability management metric most CISOs ask for, most board reports include, and most programs optimize toward. It's a reasonable starting point, but treating it as the primary measure of program health creates perverse incentives and hides the vulnerabilities that actually matter.

Here's what MTTR misses, what to measure instead, and how to build an executive reporting framework your leadership team will actually find useful.

What MTTR Is

MTTR in vulnerability management is the average time between when a vulnerability is discovered and when it's confirmed remediated. Calculated across all CVEs in your environment, a lower MTTR means faster patching, which sounds good.

The problem is in the word "average."

The MTTR Gaming Problem

When teams are measured on average MTTR, they optimize for average MTTR, not security outcomes.

The trap: A team with 10 critical vulnerabilities and 1,000 low-severity informational findings can dramatically improve their MTTR by closing all the lows and leaving the criticals open. Average time drops. Actual risk skyrockets.

Real-world MTTR optimization behaviors security teams develop when measured on the metric alone:

  • Closing low-severity findings quickly to pull down the average
  • Marking vulnerabilities as "accepted risk" to remove them from MTTR calculation
  • Adjusting scan frequency to reduce the number of new findings entering the queue
  • Patching the technically easy vulnerabilities first, regardless of risk

None of these behaviors make the organization more secure. Some of them make it less secure while making the metric look better.

Better Metrics: MTTR by Risk Band

The fix isn't to stop measuring MTTR; it's to stop aggregating it across all severity levels. Segment MTTR by risk band:

Risk BandDefinitionMTTR Target
KEV-listedConfirmed active exploitation< 72 hours
Critical (EPSS ≥ 0.40)High exploitation probability< 7 days
High (EPSS 0.10–0.39, CVSS ≥ 7)Elevated risk, no immediate exploitation< 14 days
Medium / LowLow exploitation probability< 30 days

Now your CISO gets four numbers instead of one. The number that matters most, KEV MTTR, should always be under 72 hours. If it's not, that's a program problem worth discussing.

Five Metrics That Tell the Real Story

1. KEV Exposure Window

Time from CISA KEV listing to confirmed patch deployment on affected assets. This is the metric that directly maps to confirmed threat actor activity. If your KEV exposure window is 30 days, threat actors have 30 days to find and exploit confirmed vulnerabilities in your environment.

Target: 0 open KEV entries past 14 days. Zero exceptions.

2. TRIS™-Weighted Backlog Trend

Instead of counting raw CVEs (which fluctuates with scan frequency and NVD volume), track the sum of TRIS™ scores across your open vulnerability backlog. This is a risk-adjusted backlog measure. If your TRIS™-weighted backlog is decreasing month over month, your program is working, regardless of whether total CVE count went up or down.

Target: Consistent month-over-month reduction in total risk score.

3. SLA Compliance Rate by Band

What percentage of vulnerabilities in each risk band were patched within their target SLA? This is more specific than MTTR because it tells you where the bottleneck is, IT capacity, change management friction, vendor dependency?

Target: ≥ 95% SLA compliance for KEV and Critical bands.

4. Scan Coverage Rate

Percentage of known assets scanned within their target cadence window. A team with perfect MTTR on discovered vulnerabilities but 60% scan coverage is missing 40% of their environment entirely. Coverage rate is often the most impactful program metric to improve first.

Target: ≥ 98% of Tier 1 assets scanned weekly.

5. Exception Aging

How many accepted-risk exceptions are past their documented expiry date? Exceptions without expiry dates or review schedules accumulate indefinitely and represent unacknowledged risk. Stale exceptions are a reliable indicator that a program's governance is breaking down.

Target: Zero exceptions past expiry without documented renewal.

The Executive Summary Format

Here's what a weekly VM report to leadership should look like, concise, defensible, and focused on actual risk:

  • KEV status: N open KEV entries. [N patched this week / 0 past 14-day SLA]
  • Critical band (EPSS ≥ 0.40): N open. SLA compliance: X%
  • TRIS™-weighted backlog: [↓ 12% from last week], risk trending down
  • Scan coverage: 97% of Tier 1 assets scanned within window
  • Exceptions past expiry: 0

This format takes 2 minutes to read and gives leadership a complete picture of program health. No buried averages. No vanity metrics. Just the numbers that map directly to organizational risk.

Bottom line: MTTR is a lagging indicator. What you want are leading indicators, KEV exposure window, TRIS™-weighted backlog trend, and SLA compliance rates by risk band. These tell you where the program is heading before the post-incident review tells you where it went wrong.

Metrics your CISO will actually understand.

CVEasy AI tracks KEV exposure windows, TRIS™-weighted backlog trends, and SLA compliance rates, automatically generated from your scan data.

Get CVEasy AI →

Related Reading

Program Building
Building a VM Program from Scratch
The four pillars of a real VM program.
CISA KEV
KEV Deep Dive
The 14-day clock that drives your patch queue.
Triage
Alert Fatigue Is Killing Your Team
Signal vs. noise in vulnerability management.