Metric Definition
Open vulnerabilities over time
Track from
Security vulnerability trends
Security vulnerability trends measure how the volume, severity, and age of open vulnerabilities change across an estate over time. Instead of a single snapshot count, the metric tracks the direction of travel: whether new vulnerabilities are arriving faster than they are being fixed. A worsening trend means risk is accumulating even if any single day looks acceptable.
8 min read
What is security vulnerability trends?
Security vulnerability trends measure how the volume, severity, and age of open vulnerabilities change across an estate over time. A snapshot count tells you how many open vulnerabilities exist today. The trend tells you whether that number is rising or falling, and whether the mix is shifting towards more severe or older issues. If 50 new vulnerabilities are discovered in a month and only 30 are remediated, the net trend is plus 20, and risk is building even though no single day looks alarming.
The metric matters because point-in-time counts are misleading on their own. A team can fix vulnerabilities at a healthy rate and still fall behind if new ones arrive faster. Equally, a high open count can be improving fast if remediation is outpacing discovery. Only the trend reveals which of those two situations you are actually in.
Severity weighting is central. One critical, internet-facing, exploitable vulnerability matters far more than a hundred low-severity issues on an isolated internal service. A useful trend weights by severity and exposure so the line reflects real risk rather than a raw count that treats every finding as equal.
Track the trend by severity band, not as a single blended count. A falling total that hides a rising number of critical, exploitable vulnerabilities is worse than a flat total made up entirely of low-severity findings. The mix matters as much as the volume.
How to calculate security vulnerability trends
The core of the trend is the net change per period: new vulnerabilities introduced minus vulnerabilities remediated. A positive net means the backlog is growing. The real diagnostic value comes from decomposing both sides of that equation and watching the inputs that drive each one.
- 1
New vulnerabilities introduced
The count of vulnerabilities first discovered in the period, whether from scanning, new disclosures against existing dependencies, or newly deployed code. Rising introduction usually points to dependency drift or expanding attack surface.
- 2
Vulnerabilities remediated
The count of vulnerabilities closed in the period through patching, configuration changes, or removing the affected component. This is the direct output of the remediation engine.
- 3
Net change
Introduced minus remediated. A persistent positive net is the clearest single signal that risk is accumulating and remediation capacity is not keeping pace with discovery.
- 4
Mean time to remediate
The average age at which vulnerabilities are closed, banded by severity. A rising remediation time means findings are sitting open longer, which lengthens the exposure window regardless of the headline count.
- 5
Ageing backlog
The count of open vulnerabilities older than their severity-appropriate fix target. A growing aged backlog is where the most exploitable risk tends to concentrate.
Report these inputs on a rolling basis, severity by severity, so a single critical finding cannot be averaged away by many trivial ones. Most teams plot introduced and remediated as two lines on the same axis. When the remediation line sits above the introduction line, the backlog shrinks. When it sits below, the backlog grows, and the gap between the lines is the rate at which risk is compounding.
Security vulnerability trends in a metric tree
A metric tree decomposes the net vulnerability trend into its discovery side and its remediation side, then traces each back to the operational levers that move it. This turns a worrying line on a chart into a clear statement of what to fix and who owns it.
The first level splits the trend into new vulnerabilities introduced and vulnerabilities remediated. The introduction branch decomposes into dependency drift, new code shipped, and expanding infrastructure footprint. The remediation branch decomposes into patch throughput, the share of fixes that are automated, and the friction of getting a fix deployed. The ageing backlog hangs off both, because it is what is left when remediation cannot keep up.
The tree makes the diagnosis precise. A worsening trend driven by a surge in new dependencies needs a different response from one driven by a remediation team that has lost capacity. One is a supply-chain and intake problem, the other is a throughput problem, and confusing the two wastes effort.
Metric tree insight
A trend that worsens despite a healthy remediation rate is almost always an intake problem, not a throughput problem. The lever is upstream: pinning and updating dependencies, reducing attack surface, and catching issues before they ship, rather than asking the remediation team to simply fix faster.
Security vulnerability trends benchmarks
There is no universal target count, because estates differ enormously in size and exposure. The benchmarks worth holding teams to are about remediation windows by severity and the direction of the net trend, since those translate directly to how long real risk stays open.
| Severity | Healthy remediation window | Trend signal to watch |
|---|---|---|
| Critical | Within 7 days of discovery | Any sustained growth in open critical findings is a red flag, regardless of how the total looks. |
| High | Within 30 days | A rising aged-high backlog usually precedes a critical incident and deserves attention before it tips over. |
| Medium | Within 90 days | Steady accumulation here points to remediation capacity quietly falling behind introduction. |
| Low | Within 180 days or risk-accepted | A large but stable low count is acceptable; a fast-growing one signals expanding attack surface upstream. |
The single most telling benchmark is whether the remediation line sits above the introduction line over a rolling quarter. A team that consistently closes more than it discovers is reducing risk over time even from a high starting count. A team where introduction outruns remediation is accumulating risk no matter how impressive the absolute number of fixes looks in isolation.
How to improve security vulnerability trends
Improving the trend means either slowing the rate at which vulnerabilities arrive or speeding the rate at which they are fixed, and ideally both. The most durable gains come from the introduction side, because preventing a vulnerability is cheaper than chasing it once it is in production.
Shrink the intake
Pin and regularly update dependencies, reduce unused services, and catch issues in the pipeline before they ship. Reducing the rate of new findings does more for the trend over time than any amount of faster patching.
Prioritise by exploitability
Rank findings by severity, exposure, and known exploitation rather than by raw count. Remediation capacity is finite, so spending it on the vulnerabilities an attacker would actually use bends the risk-weighted trend fastest.
Automate remediation
Automate dependency bumps and routine patching so the remediation line keeps pace with discovery without consuming engineering time. Automated fixes turn a throughput problem into a review problem.
Drain the aged backlog
Set a recurring cadence to clear findings that have passed their fix target, since that backlog is where exploitable risk concentrates. Either remediate, remove the component, or formally risk-accept with an owner attached.
The metric tree approach starts by asking which branch is driving the trend. If introduction is surging, the lever is upstream in dependency management and pipeline checks. If remediation has fallen behind, the lever is throughput and automation. Pushing harder on the branch that is already healthy moves the trend very little.
KPI Tree lets you connect each branch to the team that owns it. Application teams own the code and dependencies that drive introduction. Platform teams own the infrastructure footprint. The security function owns triage and prioritisation. With RACI ownership on each node and a push to the accountable owner when their branch starts to worsen, an adverse trend reaches the person who can act on it while it is still small, and the verified impact loop confirms whether the intervention actually bent the line.
Common mistakes when tracking security vulnerability trends
- 1
Watching the count instead of the trend
A single snapshot cannot tell you whether risk is rising or falling. A high count that is shrinking is healthier than a low count that is growing. Always read the direction of travel, not the level.
- 2
Treating all severities as equal
A blended count lets a hundred low-severity findings outweigh one critical, exploitable one. Weight by severity and exposure so the trend reflects real risk, not raw volume.
- 3
Ignoring the introduction side
Focusing only on how fast vulnerabilities are fixed misses the question of why so many keep appearing. A worsening trend is often an intake problem that no amount of faster patching will solve.
- 4
Hiding the aged backlog
Old, unfixed findings are where exploitable risk concentrates, yet they are easy to bury in a total. Track findings past their fix target as a separate line so they cannot be averaged away.
- 5
Closing findings without remediating
Marking a finding resolved without actually fixing or risk-accepting it flatters the remediation line while leaving the exposure in place. Closure must mean fixed, removed, or formally accepted with an owner.
Related metrics
Escalation Rate
Customer Support Metrics
Metric Definition
Escalation Rate = (Escalated Tickets / Total Tickets Handled) x 100
Escalation rate measures the percentage of support tickets that are transferred from one tier or team to a higher tier or specialist group for resolution. It reflects the gap between the issues customers raise and the ability of frontline agents to resolve them, making it a key indicator of agent readiness, process maturity, and product complexity.
Average Resolution Time
Customer Support Metrics
Metric Definition
Average Resolution Time = Total Resolution Time Across All Tickets / Total Tickets Resolved
Average resolution time measures the mean elapsed time from when a support ticket is created to when it is fully resolved and closed. It captures the end-to-end customer experience of getting an issue fixed, encompassing wait times, agent work time, escalations, and any back-and-forth exchanges required to reach a solution.
Deployment Frequency
DORA metric
Operations Metrics
Metric Definition
Deployment Frequency = Number of Production Deployments / Time Period
Deployment frequency measures how often an organisation successfully releases code to production. It is one of the four DORA (DevOps Research and Assessment) metrics that predict software delivery performance and organisational outcomes. Teams that deploy more frequently deliver value to users faster, reduce the risk of each individual release, and create tighter feedback loops between development and production.
Cycle Time
Process speed
Operations Metrics
Metric Definition
Cycle Time = Process End Time − Process Start Time
Cycle time measures the total elapsed time from the start to the end of a process. It is a fundamental operations metric used in manufacturing, software development, service delivery, and any context where the speed of a process directly affects throughput, cost, and customer satisfaction.
Why did my metric change?
Metric Definition
A diagnostic framework helps you work out why open vulnerabilities are rising or falling rather than just watching the trend line.
Metric trees for engineering teams
Metric Definition
Shows how engineering teams place security vulnerability trends alongside the other operational metrics they own and act on.
Decompose the trend and find what is driving the risk
Build a vulnerability-trend metric tree that separates intake from remediation and connects each branch to the team that owns it, with a push when the line starts to worsen.
