Vulnerability Management

Security Testing Metrics to Track

See which security testing metrics provide the most insight into the efficiency of your vulnerability management programme.
Ben Armstrong
3 minute read

Vulnerability Risk vs Time to Detection

Risk of vulnerabilities is often considered an important security testing metric to track. Visibility over the number of high or medium risk vulnerabilities is critical in understanding the health of a vulnerability management programme, however, it’s not what mature organisations are focussing on. Instead, mean time to detection (MTTD) and mean time to response (MTTR) provide much more insight into a programme’s efficiency.

MTTD

MTTD indicates the time taken between the inevitable introduction of a vulnerability and its detection. Security teams with a low MTTD find vulnerabilities faster, meaning they can begin the remediation process faster. Higher MTTD rates suggest that uncovered vulnerabilities are lingering in systems for longer. 

‍MTTR

MTTR is the next metric to track along the vulnerability lifecycle. MTTR measures the length of time between a vulnerability being acknowledged and addressed. It’s important to note that addressed does not necessarily mean fixed. Not all vulnerabilities get rectified, instead they can be mitigated or even just accepted. So MTTR includes all the possible outcomes after the vulnerability has been found and assessed. 

Summary

Ultimately, it’s the individual business goals of the vulnerability management programme that determines what metrics to focus on. But having systems and tools (like Cisco Vulnerability Management (formerly Kenna), Armorcode and Cytix) to easily track performance metrics is vital. With the right processes in place and focus on the right metrics, high performing security teams are reducing the time vulnerabilities are live in their system, reducing the chance of harmful attacks. 

If you want to see how Cytix can drive down MTTD, book your demo today.

Vulnerability Management

Security Testing Metrics to Track

See which security testing metrics provide the most insight into the efficiency of your vulnerability management programme.
Ben Armstrong
3
min read

Vulnerability Risk vs Time to Detection

Risk of vulnerabilities is often considered an important security testing metric to track. Visibility over the number of high or medium risk vulnerabilities is critical in understanding the health of a vulnerability management programme, however, it’s not what mature organisations are focussing on. Instead, mean time to detection (MTTD) and mean time to response (MTTR) provide much more insight into a programme’s efficiency.

MTTD

MTTD indicates the time taken between the inevitable introduction of a vulnerability and its detection. Security teams with a low MTTD find vulnerabilities faster, meaning they can begin the remediation process faster. Higher MTTD rates suggest that uncovered vulnerabilities are lingering in systems for longer. 

‍MTTR

MTTR is the next metric to track along the vulnerability lifecycle. MTTR measures the length of time between a vulnerability being acknowledged and addressed. It’s important to note that addressed does not necessarily mean fixed. Not all vulnerabilities get rectified, instead they can be mitigated or even just accepted. So MTTR includes all the possible outcomes after the vulnerability has been found and assessed. 

Summary

Ultimately, it’s the individual business goals of the vulnerability management programme that determines what metrics to focus on. But having systems and tools (like Cisco Vulnerability Management (formerly Kenna), Armorcode and Cytix) to easily track performance metrics is vital. With the right processes in place and focus on the right metrics, high performing security teams are reducing the time vulnerabilities are live in their system, reducing the chance of harmful attacks. 

If you want to see how Cytix can drive down MTTD, book your demo today.

Prioritise Your Testing Programme Around Your Development Schedule

Detect Vulnerabilities Faster
Patch Vulnerabilities Faste
Be more compliant
Book a Demo

Related Posts

Vulnerability Management
How do you understand performance over time?
In order to get to grips with the performance of your software or product over time, you really need to be taking incremental measurements of your cybersecurity.
Thomas Ballin
February 2, 2021
Security Testing
Automated penetration testing - 5 key business benefits
Automated penetration testing is becoming increasingly popular. But how does this compare to manual penetration testing? Understand the main key benefits.
Thomas Ballin
June 4, 2024
Vulnerability Management
Will there come a day where there are 0 vulnerabilities to find?
There's a growing potential for AI to remove many sources of vulnerabilities, but does that mean we're going to see a day where code is being written without any vulnerabilities being introduced into systems?
Thomas Ballin
June 4, 2024