Vulnerability Remediation SLA Calculator

Reference date:

Open findings use this date to calculate days remaining or days past SLA.

SLA policy preset:

Start from a common vulnerability-management policy, then adjust the days to match your control owner agreement.

SLA clock starts:

Use fix availability when teams cannot remediate until a vendor patch exists.

Critical remediation SLA:

Critical findings should normally be the shortest business-approved window.

days

High remediation SLA:

Use the high window your scanner gate and patch program actually enforce.

days

Medium remediation SLA:

Medium findings often align to planned patch cycles or routine releases.

days

Low remediation SLA:

Low findings can still breach if they remain in backlog beyond the policy window.

days

Known exploited cap:

Use this for active exploitation or KEV-style urgent remediation queues.

days

Vulnerability records CSV:

Paste scanner exports, ticket rows, or a trimmed backlog slice. Dates should be YYYY-MM-DD when possible.

Review SLA inputs

{{ warning }}

System or queue label:

Use the same label your scanner, ticket queue, or risk register uses.

Due-soon buffer:

Default 7 days keeps the base SLA math unchanged.

days

At-risk progress threshold:

This affects triage wording only, not the breach due date.

Default extension:

Leave at 0 unless a formally approved exception applies to the queue.

days

Priority queue rows:

Show the highest-pressure open findings first.

rows

{{ header }}	Copy
{{ cell }}
No rows for the current vulnerability input.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A vulnerability backlog is easier to manage when every open finding has a due date that can be defended. Severity tells part of the story, but remediation work also depends on when the clock starts, whether a fix exists, whether exploitation is known, who owns the asset, and whether an approved exception extends the deadline.

A remediation service level agreement (SLA) turns those policy choices into calendar commitments. It gives security teams a consistent way to ask which findings are still within target, which ones need owner attention soon, which ones have already breached, and which closed items missed their deadline. That is different from a risk score: the SLA measures repair timeliness under a chosen policy, not the full business impact of the vulnerability.

Vulnerability remediation SLA factors
Factor	How it affects the deadline	Practical caution
Severity or CVSS score	Sets the normal repair window, with critical and high findings usually getting shorter targets.	Severity alone does not prove exploitability or business exposure.
Clock start	Chooses whether aging begins at detection, fix availability, or the later of those dates.	A fix-availability clock needs reliable patch or remediation dates.
Known exploitation	Can shorten the base window when a row is marked exploited, active, KEV, or similar.	The flag must come from the scanner, ticket, or risk process before the SLA math can use it.
Exception days	Adds approved extension time after the base window or exploited cap is chosen.	Extensions should map to a waiver, risk acceptance, or compensating-control record.
Closure evidence	Determines whether fixed items closed within SLA, closed late, or cannot be audited.	A closed status without a fixed date is a data-quality problem.

Timeline diagram showing detected date, fix available date, SLA start, due date, review date, and the overdue period.

Teams often misread SLA reports when they collapse all findings into one overdue count. A due-soon critical item may deserve more attention than a stale low finding, and an exploited medium finding may need a shorter deadline than its severity normally implies. The calendar view should support triage, not replace ownership, exposure review, or patch validation.

Remediation SLA reporting is also limited by source quality. It can expose deadline pressure and closure timeliness, but it cannot prove that a patch deployed correctly, that the vulnerability is exploitable on a specific asset, or that an accepted-risk decision is appropriate.

How to Use This Tool:

Paste vulnerability records as CSV, import a CSV or TXT file, or load the sample queue to inspect the expected structure. Header rows are supported, and common aliases are accepted for finding ID, CVE, severity, CVSS score, detected date, fixed date, status, fix availability, owner, asset, exploited or KEV flag, and extension days.

Set Reference date to the reporting cutoff used for this review. Open findings use that date for days remaining, days past due, and progress percentage.
Choose SLA policy preset, then adjust the critical, high, medium, and low remediation windows if your agreement uses different day counts.
Editing a severity window switches the policy to custom without changing the date rules.
Choose SLA clock starts. Use detection when ownership begins at discovery, fix availability when teams cannot act before a vendor or internal repair exists, or the later date when both signals must be respected.
Paste or import Vulnerability records CSV. Keep owner, asset, status, fixed date, fix availability, exploited flag, and extension columns when they exist because they affect the ledger and priority queue.
Set Known exploited cap only when rows marked exploited, active, KEV, or known exploited should use a shorter maximum window than severity normally allows.
Open Advanced to tune the due-soon buffer, at-risk progress threshold, default extension days, and priority queue length.
Resolve the Review SLA inputs warnings before using the report. Invalid detected dates exclude rows from SLA aging, unknown severity uses the low-severity window, and closed rows without fixed dates cannot prove closure timeliness.
The compliance percentage is not audit evidence until scanner exports, ticket history, closure dates, and exception approvals still support the rows.
Review SLA Compliance Snapshot, Vulnerability SLA Ledger, Remediation Priority Queue, and the charts. A result is ready to share when overdue rows, due-soon rows, warnings, and owner assignments match the source queue.

Interpreting Results:

Read the summary as a point-in-time backlog health view for the selected reference date. It may show an active breach queue, a watch queue, or an SLA health percentage. The health percentage uses valid records and is reduced by open breaches, closed-late findings, and closed findings with missing closure dates.

Vulnerability remediation SLA result states
Result label	Meaning	Useful response
Open in SLA	The finding is open and the reference date is on or before the calculated due date.	Keep the owner, patch path, and next checkpoint visible.
Due soon	The finding is open, not overdue, and due within the configured warning buffer.	Schedule remediation, mitigation, or exception approval before the due date.
At risk	The finding is open, not due soon, and has consumed enough of the SLA window to cross the at-risk threshold.	Confirm ownership and a realistic maintenance or release window.
Overdue	The finding is open and the reference date is after the calculated due date.	Escalate remediation, compensating controls, or exception handling.
Closed late	The fixed date is after the due date.	Use the row for audit notes, retrospectives, or control-improvement review.
Closed date missing	The row is marked closed but has no usable fixed or resolved date.	Correct the source record before counting the closure as timely.

The ledger is the best audit trail because it keeps each valid finding with its start date, due date, age, status, and action text. The priority queue is better for daily triage because it lifts exploited rows, overdue rows, due-soon rows, at-risk rows, and higher severities above lower-pressure backlog work.

A favorable percentage does not mean the program has no remaining risk. Verify exploited flags, asset exposure, exception approvals, and closure evidence in the vulnerability-management system before using the results for compliance or executive reporting.

Technical Details:

Remediation SLA math is calendar-day arithmetic applied after classification. Each valid finding needs a severity bucket, an SLA start date, a base repair window, any exploitation cap, and any extension days. Open findings compare the due date with the reference date. Closed findings compare the fixed date with the due date.

Severity normalization accepts text labels and numeric scores. Critical, high, medium, moderate, low, and P0 through P4 map to the four severity buckets. Numeric scores follow common CVSS v3.1 qualitative bands: 9.0 and above is critical, 7.0 to 8.9 is high, 4.0 to 6.9 is medium, and positive scores below 4.0 are low. Unknown severity remains visible and uses the low-severity window for date math.

Formula Core:

\begin{array}{lll} BaseDays & = & \min (SeverityDays, ExploitedCap) when an exploited cap applies \\ EffectiveDays & = & BaseDays + ExceptionDays \\ DueDate & = & SLAStartDate + EffectiveDays \\ DaysRemaining & = & DueDate - ReferenceDate \\ Progress & = & \frac{AgeDays}{EffectiveDays} \times 100 % \end{array}

Vulnerability remediation SLA rule details
Rule area	Applied behavior	Boundary to remember
Policy windows	The default security-operations policy uses critical 7 days, high 30 days, medium 90 days, and low 180 days.	Other presets change those day counts, and editing a window makes the policy custom.
Known exploited cap	Rows marked exploited, active, KEV, CISA, true, yes, or similar use the shorter of severity days and the cap.	A zero-day cap value disables this shortening.
Exception days	Row-level extension or exception days are added after the base window is selected.	Blank row values use the default extension, and negative values are clamped to zero.
Due-soon status	Open findings are due soon when they are not overdue and days remaining is less than or equal to the warning buffer.	Overdue takes precedence over due soon.
At-risk status	Open findings become at risk when they are not overdue or due soon and progress is at least the configured threshold.	At-risk rows are grouped with the watch queue for summary counts.
Closed status	A fixed date on or before the due date is closed in SLA; a fixed date after the due date is closed late.	A closed row without a fixed date remains unknown for closure timing.

Clock-basis selection changes the start date before any window is applied. A detection clock uses the first detected date when available. A fix-availability clock uses the fix available date when present, falling back to detected date when it is missing. The later-date clock compares the detected and fix available dates and starts from whichever is later.

The priority score is a sorting aid. It starts from severity weight, then adds pressure for exploited rows, open overdue rows, due-soon rows, and at-risk rows. Overdue days increase the score further, so an old breach rises above a newer breach with otherwise similar severity. This queue order is useful for triage, but it is not a replacement for asset exposure, compensating controls, or business owner review.

SLA compliance and data-quality calculations
Computed item	Rule	Interpretation
SLA health	(valid records - open overdue - closed late - closed date missing) divided by valid records.	Shows report health for the selected cutoff date, not proof of patch quality.
Invalid detected date	Rows without a usable detected date are excluded from SLA aging.	Fix the date before using the queue as evidence.
Unknown severity	Unknown rows use the low-severity window for due-date math.	The warning should be resolved because the real policy window may be shorter.
Calendar precision	Dates are compared at day precision.	Timezone cutoffs and maintenance-window hours should be handled in the source process when they matter.

For example, a critical finding that starts on May 1 under a 7-day policy is due on May 8. If it is still open on May 10, days remaining is -2 and the finding is overdue by two calendar days. If it closed on May 7, it is closed in SLA; if it closed on May 9, it is closed late.

Privacy and Scope Notes:

The pasted or imported CSV is parsed locally in your browser. Vulnerability IDs, asset names, owner names, queue labels, and exported reports can reveal sensitive operational data, especially for internet-facing systems, unpatched services, and internal ownership paths.

The calculator does not query a scanner, confirm that a CVE affects a live asset, verify patch deployment, or check the current CISA KEV catalog. Use the output for planning and reporting, then confirm exploit status, exposure, compensating controls, exceptions, and closure evidence in the systems that own those records.

Advanced Tips:

Keep Reference date aligned with the scanner export, ticket extract, or evidence-pack cutoff so days remaining match the report period.
Use Known exploited cap as a policy override, not as a lookup. Rows must already identify exploited, active, KEV, or known exploited status correctly.
Choose a fix-availability clock only when the CSV reliably includes vendor fix, patch available, or internal remediation dates.
Use row-level extension days for approved exceptions and reserve Default extension for a whole queue covered by the same waiver.
Tune Due-soon buffer and At-risk progress threshold to your review cadence. A weekly review usually needs a larger buffer than a daily triage meeting.
Raise Priority queue rows high enough to show all active breaches during triage, then use the full ledger or JSON for complete reporting.
Compare Remediation Deadline Timeline with release freezes and maintenance windows before escalating a deadline that cannot be met through normal deployment paths.

Worked Examples:

Critical finding past the deadline

A critical finding detected on May 1 with a 7-day critical window is due on May 8 when the clock starts at detection. If the reference date is May 10 and the row is still open, the ledger marks it overdue by two calendar days.

High finding waits for a fix

A high finding detected on May 1 with a vendor fix available on May 12 depends on the clock basis. Detection-based timing gives a May 31 due date under a 30-day high window. Fix-availability timing moves the start to May 12 and the due date to June 11.

Exploited medium finding with an exception

A medium finding marked KEV with a 14-day exploited cap uses the shorter cap instead of the normal medium window. If an approved exception adds 10 days, the effective window becomes 24 calendar days after the selected SLA start date.

Closed row without usable evidence

A finding marked closed on May 20 with a May 15 due date is closed late. A row marked closed without a fixed or resolved date remains a closure-timing problem because the row cannot prove whether remediation met the SLA.

FAQ:

Which CSV headers are recognized?

Common aliases are accepted for ID, CVE or finding, severity, CVSS score, detected or first-seen date, fixed or resolved date, status, fix availability, owner, asset, exploited or KEV flag, and extension or exception days.

Why did a finding stop being overdue after I changed the clock start?

A fix-availability clock can move the SLA start later when a patch or remediation date exists. That changes the due date even when the severity window stays the same.

How are closed findings counted?

Closed findings with a fixed date are compared against their due date. Closed findings without a fixed or resolved date are treated as unknown closure timing, not as timely closures.

Does the known exploited cap replace exception days?

No. The cap can shorten the base window first. Approved exception days are added after the base window has been selected.

Can I use the SLA health percentage as compliance evidence?

Use it as a reporting aid, not as standalone evidence. Keep scanner exports, ticket history, exception approvals, and patch validation records with the final audit file.

Glossary:

SLA: A service level agreement that defines how many calendar days a finding may remain unresolved under the selected remediation policy.
Reference date: The reporting cutoff date used to age open findings and calculate days remaining or days past due.
Clock basis: The rule that chooses whether SLA aging starts at detection, fix availability, or the later of those two dates.
Known exploited cap: A shortened maximum repair window for rows flagged as exploited, active, KEV, CISA, or known exploited.
Exception days: Approved extension days added after the base severity window or exploited cap is chosen.
SLA health: The valid-record percentage without an active open breach, closed-late finding, or closed row missing closure timing.

References:

SP 800-40 Rev. 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, National Institute of Standards and Technology, April 2022.
CVSS v3.1 Specification Document, FIRST.
CVSS v3.1 User Guide, FIRST.
Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Cybersecurity and Infrastructure Security Agency, November 3, 2021.
Known Exploited Vulnerabilities Catalog, Cybersecurity and Infrastructure Security Agency.