Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dom
Viewer
2 weeks ago
2 weeks ago

Reporting patching and vulnerability metrics

I'm interested in how others are handling patching metrics. We currently report patching using:

  • % endpoints missing critical/important patches outside a 14-day SLA (aligned to UK Cyber Essentials), and
  • total high/critical vulnerabilities aged >14 days.

The idea was to show both patching coverage and the depth of exposure.

 

This has worked pretty well historically, but over the last 6 months we’ve been rolling out new laptops and have hit some patching issues. As a result, we’ve now got ~16% of devices outside SLA, and they’re missing multiple patch cycles, which is driving a big spike in vulnerability counts.

 

I’m starting to get some pressure internally that the metrics are either too harsh or don’t reflect operational performance properly. I still think they’re right from an infosec risk perspective.

 

Interested in how others are balancing patch SLA vs vulnerability metrics in reporting?

0 Kudos
0 Replies