KPI for Vulnerability management

New KPI / SLA information

The polished and ready to use document for KPI is in the Spreadsheet SLA example - which can be shared with clients that are close to us. It contains a lot of our IP (even though some will call it obvious standard stuff)

The idea are that to measure KPI, the CISO need to figure out which part is important partial measurement and then agree with the IT operation team to those. And THEN define the KPI measurement.
The KPI measurement is in Qualys term trying to implement a 0-100% score - how close are company to meet the agreed SLA. It also suggest that for workstations there are some delay - because they are not all online all the time. To example only 90% of the whole population shoud meet the goal - and then combined wtih tags that define its for those that has been online for the last xx days.
There are some dashboards that are already premade to show implement the measurement for SLA spreadsheet
Available from the dashboard section.

SLA / KPI sheet here

The below is a bit old and work in progress In progress (as per november 2025).
Coverage of the Vulnerability mangement

KPI What How to measure Vulnerability management Coverage
%

Vulnerability management basic - Security / Risk

KPI What How to measure Asset Risk Score,
Average per company/area/technology 0-100 Using Qualys: TruRisk score
Other: a way to add/prioritize all vulnerabilities per assets. This is to focus at if assets in general are well enough patched Asset Risk Score
Number/% of systems that are outliers STD Deviation value
Number of systems above xx

This is meant to catch how many systems are extremely bad, even if the reported average are good. # patch missing per..
# patch Show the number of patch missing instead of vulnerebilities. Those numbers can be very different.
Can measure per area, the vendor patch severity etc. Average Exposure time days of where asset was exposed. This could be how many days per month would an asset be exposed via ANY given critical vulnerability. So how many days has it been open to attacker. This is not measuring a specific vulnerability, but more the combined exposure For a given type or group of vulnerabilities count the number of days from first found to fix date. And show the number example days per month, % Exceptions at High risk vulnerabilities
% Unpatched vulnerabilities vs Unpatched Risk accepted (=ignored from standard results)
Critical/High Risk over 30 days old
Count
%
Average per system
Only where patch available
Only OS / Non-OS - Depends

Vulnerability management basic - Operation

KPI What How to measure Mean Time To Remediation (criticality level)
A standard number which should be used with precaution,
Some times also measured per system criticality
(ie. mean time to patch Critical vulns at critical systems)
Days Calculate first found - fixed days
Can included:
Date of patch released
Has a patch
Bonus: according to cyber insurance companies are 7 days the golden number. System patched slower than SLA % of systems
% of systems in violation group (1,2,4,6 weeks) The SLA for Patching of various type of vulnerabilities measured up against the actual
Patch cadence

Patch Tuesday later than SLA % of Windows systems that was not patched within Company SLA It might be a manual proces every month - there are no query to ask for just patch Tuesday. Also Patch Tuesday often release both a OS patch - as well as for other components. Closed vs Open

Rate of recurrence

Vulnerability management Advanced - Security / Risk

KPI What How to measure # of critical/important systems with TI related Vulnerabilities, ex:
Used by ransom/malware
Used in active attacks
Exploit available Number of systems
External systems with Exploitable vulnerabilities
Number of systems

MITRE related reports

KPI What How to measure Initial access / recognizance % high risk+ vulnerabilities that can lead to initial acces (or other stages) Report on vulnerabilities or controls that are only related to specific stages in attack - might be first priority to example limit initial acces
Threat landscape coverage
% of attacks vectors that are protected
Based on a threat landscape report, the Mitre techniques can be mapped into Qualys vulnerabilities and Policy Audit controls - and we can tell how many % techniques are covered. This number would also be a bit imprecise. But it's still a good concept and focus should be at the development. The report often needs to be made via API. Volodomyr and Josephine know how
TLPT / Atomic / red team penetration test
Atomic results Its possible to simulate a lot of a redteam test by creating the Atomic test and then look up the techniques.
Attack Path analysis Default reporting
Qualys has attack path analysis for AWS - and then Azure in h2 2025. We haven't tried it yet

VERY focused prioritization

KPI What How to measure Only those that matters Look for vulnerability TI and CVSS data and select only what a specific system/service should be focused on Are those relevant for the specific system - given the placement, function, CIA, etc:
DoS - maybe system can be down, but not loose data
Local discovery / exploit: If the server never have any user login in, there might be small chance of discovery
Running service - platform can look for either vuln present in system or only if the vulnerable service runs
.. and so on... look at the system and what is does. Focus at what the world matters Measure for those things where breach happens
According to various input (Marsh as example)
Measure those
The simple thing is that 90% of compromises are ransomware, a lot of attacks are now using older vulnerabilities and also not critical, but more cvss 5-8. See the March in the external KPI page here Browser extensions List the browser extensions in use, they are often unknown and unmanaged
Libraries For developers, the use of Libraries are Critical. The Libraries holds vulnerabilities that can be included in final releases. The Libraries will often not been identified by Webappplication test or release tests.

Enable the Software Composition analysis for Cloud agent and get vulnerabilities related to libraries. But be carefull, only enable to those few hosts where it matters. It create a lot of false positives for files just being everywhere at peoples computers.