What Is a Good MTTR for Vulnerabilities?
A good MTTR (Mean Time to Remediate) for vulnerabilities is 30 days or less for critical severity, 60 days for high, and 90 days for medium. Top-performing organizations achieve 15-day MTTR for critical vulnerabilities. MTTR measures the average time from vulnerability discovery to confirmed remediation.
MTTR Benchmarks by Severity
| Performance Level | Critical MTTR | High MTTR | Medium MTTR |
|---|---|---|---|
| Top Performers (Top 10%) | < 15 days | < 30 days | < 60 days |
| Good (Top 25%) | 15-30 days | 30-45 days | 60-90 days |
| Average | 30-60 days | 60-90 days | 90-120 days |
| Below Average | > 60 days | > 90 days | > 120 days |
Benchmarks based on industry data from vulnerability management platforms and security surveys.
How to Improve Your MTTR
Automate Discovery to Ticket
Eliminate manual steps between scan completion and ticket creation. Vulnerabilities should automatically create tickets with owners assigned based on asset ownership.
Prioritize Ruthlessly
Not all vulnerabilities need immediate attention. Use EPSS, CISA KEV, and asset criticality to focus remediation effort on what actually matters.
Establish Clear Ownership
Every vulnerability needs an owner. If asset ownership isn't clear, MTTR suffers while teams debate who's responsible.
Track and Report
What gets measured gets managed. Report MTTR metrics to leadership regularly. Teams improve when they know their metrics are visible.
Common Questions
How is MTTR calculated for vulnerabilities?
MTTR is calculated as the average time between vulnerability discovery (first scan detection) and confirmed remediation (follow-up scan showing vulnerability resolved). Some organizations measure from ticket creation instead of discovery, which produces lower MTTR numbers but misses the discovery-to-ticket delay.
Should MTTR be measured per severity or overall?
Measure MTTR by severity. An overall MTTR metric can mask problems - you might have excellent medium-severity MTTR but terrible critical MTTR. Breaking out by severity reveals where your program actually struggles.
What other metrics complement MTTR?
MTTR works best alongside: open vulnerability count (are you keeping up?), SLA adherence rate (percentage meeting your targets), vulnerability density (vulnerabilities per asset), and age distribution (how many old vulnerabilities exist). Together these paint a complete picture.
Want to Improve Your MTTR?
We help organizations reduce MTTR through better prioritization, ownership, and tracking.