← Back to Research
Research21 min read

Security Finding Mean Time to Assignment Economics

A vulnerability finding cannot be remediated by an operating workflow until a named, active, in-scope owner is bound to it. Most enterprise vulnerability programmes report MTTR as the headline cycle-time metric. MTTR is a composite of three operational segments: time from finding creation to named assignment, time from assignment to engineering acknowledgement and triage, and time from triage to verified closure. The composite hides where the cycle time actually sits. Programmes that pair mean time to assignment, handoff latency, and remediation time as three separate lines read where the lag lives and direct each segment to the right operational owner.1,2,5,7

This research covers the pre-triage segment that most enterprise vulnerability programmes do not instrument and do not report. It names when the MTTA clock starts and stops, the six canonical drivers of MTTA variance (routing-primitive fall-through, manual-triage backlog, cross-team escalation latency, after-hours and weekend inflow, inflow burst, severity-mismatch deferral), the five primary measurement axes (MTTA median by severity, MTTA 90th percentile by severity, auto-assignment effectiveness rate, unassigned finding queue depth, unowned finding ageing distribution), the target bands by severity, the framework citations that expect named assignment cadence (ISO 27001 A.8.8 and A.5.24, SOC 2 CC7.1 and CC8.1, PCI DSS 6.3 and 11.3 and 12.5.1, NIST SP 800-53 RA-5 and SI-5 and IR-4, NIST SP 800-40 Rev. 4, NIST CSF 2.0 ID.RA and DE.AE and RS.AN, CIS Controls v8.1 safeguards 7.1 and 17.4, DORA Articles 9 and 24, HIPAA 164.308(a)(1)(ii)(D), CISA CPG 2.B), and the live-record discipline that holds assignment cadence current across reorganisations and audit cycles.3,4,6,8,9,10,11,14

Why MTTA is the segment most programmes do not measure

MTTR is the cycle-time metric every enterprise vulnerability programme knows how to talk about. It maps cleanly to the executive dashboard, the board cyber-risk briefing, and the audit-evidence package. The composite is also the only cycle-time number that survives the journey from operational system to leadership slide without losing recognisability. So the dashboard reports it and the team manages against it.7,11

The composite hides three operational segments. The pre-triage segment runs from finding creation to the first named owner assignment that the operating workflow can route work against. The triage and handoff segment runs from the assignment event to the engineering acknowledgement that triage is happening and the finding is moving toward a remediation decision. The remediation segment runs from acknowledged ownership to verified closure with the retest or other verification artefact. Each segment has its own cost drivers, its own ownership, and its own remediation pattern. The composite reports the sum and obscures the segment-level cost structure.

A programme that spends three days assigning a critical finding, one day in handoff, and four days in remediation reports the same MTTR as a programme that assigns the finding in two hours, spends two days in handoff, and spends six days in remediation. The first programme has an intake and ownership discipline gap; the second has an engineering remediation gap; the two failure modes call for different interventions. MTTA surfaces the first failure mode that the composite hides. The companion security engineering handoff latency research covers the second segment; this research covers the first.

When the MTTA clock starts and stops

The clock starts at the moment the finding becomes a live record in the workspace, decomposed cleanly across the inflow channels. The activity log captures the create event with a timestamp and a named actor, so the start point is queryable rather than inferred.5,8,16

Inflow channelClock start timestampCommon confusion to avoid
External scanner outputThe ingest-commit timestamp when the scanner output lands in the operational record.Not the original scan start time and not the scan completion time on the scanner side.
Authenticated DAST outputThe ingest-commit timestamp when the authenticated scan results commit to the workspace.Not the credential vault unlock event and not the per-target scan completion event.
Code scanner outputThe pipeline-commit timestamp when the SAST or SCA output lands against the repository binding.Not the commit hash that triggered the scan and not the pipeline-run start event.
Manual finding entryThe create event recorded in the activity log when the consultant or operator commits the finding.Not the underlying observation timestamp and not the draft-save timestamp.
Third-party scan import (bulk)The import-commit timestamp when the imported finding lands against the operational record.Not the original scan timestamp from the source system and not the file upload timestamp.
Bug bounty and external disclosureThe triage-acceptance timestamp when the report becomes a workspace finding record.Not the platform-side report submission timestamp and not the first acknowledgement to the reporter.

The clock stops at the moment an assignment event is recorded against the finding by a named actor. The assignment event names the new owner with an identity the workspace user record can resolve and that the audit query verifies as active and in-scope. Three properties of the stop event matter.

  • The bound owner must be a named individual whose workspace user record is active. Group inboxes, generic role mailboxes, and distribution lists do not stop the MTTA clock for audit purposes.
  • The bound owner must be in scope to act on the finding. An assignment to a person who has departed, transferred, or rotated out of the relevant asset surface stops the field-presence query but does not stop the operational MTTA clock.
  • Provisional assignments stop the clock only when the provisional record is itself a named, active workspace user with an explicit successor-of-record entry in the activity log. A placeholder assignment that the operating workflow expects to re-route does not stop the clock.

The six canonical drivers of MTTA variance

MTTA does not arrive in one shape. Six canonical drivers produce most of the variance across enterprise programmes. Each driver has its own detection signature on the activity log, its own organisational cadence, and its own remediation pattern. The assignment register names the driver class on each affected finding so the audit citation for assignment cadence reads as a closed loop rather than as an inferred manual sweep.3,5,7,9

Routing primitive fall-through

The auto-assignment rule does not match the finding because the asset is new, the scanner is new, or the routing rule library has not been updated for the current organisational structure. The finding lands in the unassigned queue with no owner bound. The detection signature is a finding-create event followed by an unresolved-owner event with no auto-assignment event between them. The remediation pattern is routing-primitive extension plus a provisional team assignment from the manual queue.

Manual triage backlog

Findings that fall through auto-assignment land on the vulnerability programme manager queue, the queue grows faster than the manager can clear it, and the per-finding wait extends. The detection signature is queue-depth growth that outpaces clearance rate across the rolling window. The remediation pattern is auto-assignment effectiveness improvement, additional manual-triage capacity, or a triage backlog sweep before the queue saturates.

Cross-team escalation latency

The auto-assigned owner is technically valid but the finding belongs to a different team; the re-routing decision requires a meeting or a manager review that adds days. The detection signature is an auto-assignment event followed by a reassignment event from a different actor with elapsed time that exceeds the within-team reassignment baseline. The remediation pattern is routing-primitive refinement against the cross-team mismatch pattern plus an explicit reassignment SLA.

After-hours and weekend inflow

Findings arriving outside business hours wait until the next business day for the manual triage step that auto-assignment could not handle. The detection signature is an inflow-timestamp distribution with measurable mass outside business hours and an assignment-timestamp distribution concentrated at the start of the next business window. The remediation pattern is 24x7 routing-primitive coverage, on-call rotation for after-hours triage, or an explicit deferral policy for non-critical severities.

Inflow burst

A new scanner generation, a coverage expansion, an emergency scan, or a CISA KEV-driven sweep produces an inflow that the routing layer absorbs but the manual queue saturates against. The detection signature is an MTTA spike correlated with an inflow-volume spike in the same window. The remediation pattern is temporary manual-triage capacity, scoped routing-primitive simplification for the burst class, or explicit policy that critical severities preempt the queue.

Severity-mismatch deferral

The auto-assigned owner downgrades severity and the re-routing requires a re-triage that adds latency before the new owner is bound. The detection signature is a severity-change event recorded soon after assignment with a reassignment event following. The remediation pattern is intake severity calibration discipline, scanner severity normalisation, and routing-primitive rules that read severity bands rather than raw scanner labels.

The pattern across the six is that detection requires a timestamped activity log with named actors (so inflow, auto-assignment, reassignment, and severity-change events all read against the same record), a versioned routing rule library (so fall-through and rule-update events are queryable), a versioned team and user record (so cross-team and after-hours events resolve cleanly), and an inflow-shape view (so burst detection separates from per-finding cadence). Programmes that run any of these as static spreadsheets cannot decompose MTTA into the driver classes and run the assignment cadence as a manual audit-week reconciliation.

The five primary measurement axes

MTTA is measurable as a function of the live record across five axes that together separate a programme with a durable assignment cadence from one that runs assignment as a manual sweep.5,7,16

MTTA median by severity band

The median elapsed time from finding creation to first named assignment, decomposed by critical, high, medium, and low severity. Reads against the documented assignment cadence policy and against the leadership target band. A programme reporting four-hour critical median, one-day high median, three-day medium median, and one-week low median sits at the strong end of enterprise practice; a programme reporting two-day critical median has a structural intake or routing problem to address.

MTTA 90th percentile by severity band

The 90th percentile elapsed time by severity. Reads the tail rather than the centre and surfaces the population of findings that wait longer than the typical case. A programme whose critical median holds at four hours but whose critical 90th percentile sits at two business days has a small but real tail of critical findings that miss the leadership-readable cadence; the tail concentration is the focus of the routing-primitive review.

Auto-assignment effectiveness rate

The fraction of new findings that receive a named owner from the routing primitive without manual triage. The inverse is the fall-through rate that lands on the vulnerability programme manager. A programme operating at ninety-percent effectiveness has nine out of ten findings auto-routed and one out of ten on the manual queue; pushing to ninety-five percent typically requires structural rule-library extension against the residual hard cases. The companion security finding routing rule economics research covers the per-rule cost structure that this axis reads against.

Unassigned finding queue depth

The count of open findings without a named owner at any moment, decomposed by severity and by source. Reads the instantaneous state rather than the cycle-time. A programme whose queue depth holds at under ten across the week has a sustainable manual-triage capacity; a programme whose queue depth drifts upward over the week has a clearance rate that lags the inflow.

Unowned finding ageing distribution

The elapsed-time distribution of findings still in the unassigned queue, decomposed by severity. A histogram of ages surfaces ageing patterns that the headline MTTA hides; a programme whose median MTTA holds at one business day but whose unassigned queue contains medium findings ageing past two weeks has a long tail of low-priority assignments that audit will read against the cadence policy.

Reporting these five together separates the false-passing programmes (low headline MTTA achieved through a manual sweep at the end of week) from the durable programmes (low MTTA at any time, achieved through a continuous routing layer and a sustainable manual queue). The five also separate the failure modes: median-and-queue-depth growth points at manual capacity; 90th-percentile widening points at a tail-shape problem; effectiveness-rate erosion points at a routing-rule library gap.

Target MTTA bands by severity

Target bands depend on the programme cadence, the routing-primitive coverage, and the manual-triage capacity, but most enterprise programmes converge on similar shape. Programmes that hold these bands as policy and instrument the breach population separately from the headline MTTA produce assignment cadence that survives leadership review and audit.4,6,7,9,11

SeverityMedian target90th percentile targetUnassigned tail expectation
CriticalFour hours business hours; eight hours overall.Eight hours business hours; one business day overall.Near zero past one business day; explicit escalation for any ageing instance.
HighOne business day.Two to three business days.Investigated tail past three business days; named driver class for each.
MediumFive business days.Two weeks.Reviewed tail past two weeks; tied to routing-primitive coverage update.
LowOne sprint or two weeks.One month.Retired or escalated past one month with documented disposition.

Programmes that report a single MTTA number across all severities miss the segment behaviour and direct improvement at the wrong tail. A programme reporting a two-day MTTA average sounds reasonable until the decomposition shows critical findings averaging twelve hours and medium findings averaging six business days; the leadership conversation belongs around the medium-severity routing-primitive gap rather than around a generic operational improvement.

How MTTA interacts with the remediation SLA window

Remediation SLAs are conventionally measured from finding creation to verified closure, which means MTTA consumes the front of the SLA window before any engineering work begins. The arithmetic matters at the severity bands where the SLA is short.3,4,6,11

A critical SLA of seven days is much harder to hit when MTTA averages three days; the remediation team has four days to triage, fix, retest, and verify closure. Programmes that report SLA breach without separating MTTA from remediation time direct the escalation at the engineering team even when the lag sits in the assignment segment. The breach attribution lands on the wrong owner and the operating response chases the wrong remediation.

The cleaner reading subtracts MTTA from the SLA window and reads the post-assignment time as the engineering-actionable budget. The assignment-segment overrun is reported separately against the assignment cadence policy. The leadership read becomes two numbers per severity band: the assignment-segment overrun rate and the engineering-segment overrun rate. The two together explain the SLA-breach population and route each breach to the right operational owner.

The pre-handoff segment and the SLA window need to be designed against each other rather than against independent policies. A programme operating a four-hour critical MTTA target and a one-business-day critical handoff target with a seven-day critical remediation SLA leaves the engineering team with five and a half days of remediation budget; a programme operating a one-business-day critical MTTA target with the same handoff and SLA leaves the engineering team with five days. The numbers are close in the best case and diverge under inflow burst, after-hours arrivals, and routing-primitive fall-through. Reading the segments together surfaces the design tension before the next quarterly SLA review.

Auto-assignment effectiveness as the headline driver

Auto-assignment effectiveness is the dominant driver of headline MTTA at most enterprise programmes. When the routing primitive covers ninety percent of inflow, ninety percent of new findings receive a named owner inside the auto-assignment latency budget (seconds to minutes), and ten percent land on the manual queue with per-finding wait that depends on manager capacity. The headline MTTA reflects the weighted average across the two paths.7,8,21

Effectiveness bandAuto-routed shareHeadline MTTA shapeTypical improvement focus
Below 70%Less than seven in ten findings auto-routed.Headline MTTA tracks manual queue depth; high variance day to day.Routing rule library coverage expansion across the dominant fall-through classes.
70 to 85%Seven to eight and a half in ten auto-routed.Headline MTTA reads improvement linearly with effectiveness gains.Per-source rule refinement; cross-team mismatch reduction.
85 to 95%Eight and a half to nine and a half in ten auto-routed.Headline MTTA improvement bends as residual fall-through concentrates in hard cases.Structural rule extension; new asset class onboarding; new scanner module onboarding.
Above 95%More than nine and a half in ten auto-routed.Headline MTTA approaches the auto-assignment latency floor; manual queue is a small named tail.Quality-side discipline; rule sprawl reduction; provenance recording for audit defensibility.

Pushing auto-assignment effectiveness from seventy to ninety percent typically cuts headline MTTA by more than the linear share because the manual queue clears faster when fewer findings land in it. The queue dynamics compound; a smaller queue means a smaller wait per item, and a smaller wait per item means a smaller headline MTTA contribution from the manual path. The trio of auto-assignment effectiveness, manual queue depth, and fall-through tail classification together describes whether the routing layer is converging or whether the rule library needs a structural intervention rather than another iterative rule.

MTTA decomposition by finding source

Source-specific MTTA reads measurably differently across the finding catalogue because each source has a different routing-primitive coverage profile. The decomposition lets the programme prioritise the routing-primitive update that recovers the most assignment cadence rather than treating MTTA as a single hygiene problem.5,15,16

Finding sourceAuto-assignment profileTypical MTTA driver
External scan (verified domains)Strong; the asset-to-team binding is established at domain-verification time.Routing-primitive currency against the live verified-domain catalogue.
Authenticated DASTStrong; verified-domain plus credentialed-scope binding is explicit.Severity-mismatch deferral when the auth scope changes the criticality calibration.
Code scanner (SAST or SCA)Strong when the repository owner field is populated; weak on newly connected repositories.Repository owner-field gap and CODEOWNERS mismatch.
Manual finding entryVariable; depends on whether the operator names the owner at entry.Operator-discipline rather than routing-layer gap.
Third-party scan importWeak; the source rarely supplies an owner field; the routing primitive runs against the imported asset reference and falls through at higher rates.Bulk import flow design and asset-mapping discipline at intake.
Bug bounty and external disclosureWeakest; the source has no owner context.Vulnerability programme manager intake capacity; explicit triage SLA.

Programmes that read MTTA decomposed by source rather than as a single number prioritise the routing-primitive update that recovers the most assignment cadence. Code-finding MTTA improvement is typically the cheapest because the repository binding is durable; bug-bounty MTTA improvement is typically the most expensive because the triage intake is fundamentally manual. The companion remediation economics by finding source archetype research covers the cost-side decomposition of the same source-specific shape.

After-hours, weekend, and inflow-burst behaviour

Findings arrive outside business hours through scheduled scans, third-party imports, continuous scanning, and bug bounty submissions. Programmes that read MTTA without separating business-hour and out-of-hour inflow report a higher headline number that reflects the inflow shape rather than the routing-layer performance.5,7,11

The cleaner discipline reads MTTA across three windows. Business-hour MTTA reads auto-assignment effectiveness and manual-queue capacity during the working day. After-hours MTTA reads the on-call rotation and the after-hours triage discipline. Weekend MTTA reads the weekend on-call coverage. Critical findings should receive assignment in all three windows within the documented cadence; medium and low findings can carry an explicit policy deferral to the next business window.

Inflow burst is the second dimension that distorts the headline number. A new scanner generation, a coverage expansion, an emergency scan, or a CISA KEV-driven sweep produces an inflow that the routing layer absorbs but the manual queue saturates against. The detection signature is an MTTA spike correlated with an inflow-volume spike in the same window. The remediation pattern is temporary manual-triage capacity, scoped routing-primitive simplification for the burst class, or explicit policy that critical severities preempt the queue.

Programmes that maintain 24x7 routing-primitive coverage with a documented on-call rotation hold MTTA across all three windows at the same band; programmes that rely on the manual queue carry a measurable after-hours MTTA tail that the audit and leadership read both notice. The leadership conversation when the after-hours tail widens is usually about whether the after-hours coverage is staffed against actual inflow rather than against the rough headline number; the inflow-shape distribution reads against the coverage decision rather than against generic operational improvement.

Framework citations that expect assignment cadence

Assignment is not an optional metadata event; it is an audit-readable cadence the auditor expects the programme to instrument and report against. Most enterprise frameworks expect a documented assignment cadence on vulnerability findings, either through direct control language or through audit-evidence expectations on the vulnerability management process.2,3,4,5,7,9,10,14

FrameworkCitationAudit read
ISO 27001:2022Annex A 8.8 vulnerability management; A.5.24 incident planning.Documented assignment of responsibility on the vulnerability handling workflow with reviewable cadence.
SOC 2 (AICPA TSC)CC7.1 remediation workflow with named ownership; CC8.1 change management assignment.Sample of open findings with timestamped assignment events against the documented intake policy.
PCI DSS v4.06.3 risk-ranking with assignment; 11.3 internal and external scanning with documented assignment; 12.5.1 operational responsibility.Per-finding assignment evidence and the assignment cadence policy alongside the remediation SLA evidence.
NIST SP 800-53 Rev. 5RA-5 vulnerability scanning with assigned responsibility; SI-5 alert response; IR-4 incident handling.Assigned responsibility documented at control-implementation layer with named ownership of the operating workflow.
NIST SP 800-40 Rev. 4Enterprise patch management programme assignment and timing expectations.Named assignment chain from intake through remediation with documented cadence per severity band.
NIST CSF 2.0ID.RA risk assessment accountability; DE.AE anomaly analysis assignment; RS.AN response analysis ownership.Assigned accountability at the governance layer and at the operational layer with traceable evidence.
CIS Controls v8.1Safeguard 7.1 vulnerability management process; 17.4 incident handling assignment.Documented assignment in the operational process with audit-readable cadence.
DORA (EU)Article 9 ICT risk management framework assignment; Article 24 vulnerability management cadence.Documented vulnerability management cadence with assignment evidence at the regulator-readable layer.
CISA CPGGoal 2.B vulnerability discovery with assignment cadence.Per-severity assignment cadence against the programme baseline with reported tail population.
HIPAA Security Rule164.308(a)(1)(ii)(D) information system activity review with named responsibility.Named responsibility on the review workflow with reviewable cadence.

Programmes that report MTTA alongside open-finding aging, severity distribution, and closure throughput produce audit citations grounded in the live record; programmes that report only MTTR produce audit citations that pass the closure-rate check and fail the assignment-cadence check. The pattern across frameworks is consistent enough that the same five-number MTTA dashboard satisfies the per-framework audit reads without per-framework reformatting.

What the leadership dashboard reads

The leadership report pairs five numbers on the same dashboard the operational view reads. Reporting these alongside open-finding aging, severity distribution, and closure throughput places assignment cadence on the same operating record as the rest of programme reporting. The leadership question the five numbers answer is whether the routing layer can place each new finding in front of an actionable owner before the remediation clock advances meaningfully against the severity band.11,15,20

  • MTTA median by severity band (critical, high, medium, low) against the documented cadence policy.
  • MTTA 90th percentile by severity band so the tail population is visible alongside the centre.
  • Auto-assignment effectiveness rate so the routing-layer convergence is reported on the same cadence as the cycle-time numbers.
  • Unassigned finding queue depth as an instantaneous count, decomposed by severity, with an alert threshold tied to the manual-triage capacity.
  • Assignment-SLA breach population by severity so the breach is read against the assignment-cadence policy rather than against the composite SLA only.

The leadership conversation that the five numbers support is whether the assignment layer is the bottleneck on the cycle time or whether the cycle time is dominated by handoff or remediation. A programme reading three-day critical MTTA, one-day critical handoff, and four-day critical remediation against a seven-day SLA has the assignment layer as the dominant lag and needs routing-primitive extension or manual-triage capacity addition; a programme reading four-hour critical MTTA, four-day critical handoff, and three-day critical remediation has handoff and remediation as the dominant lag and needs notification quality and engineering capacity work instead.

For CISOs and security leaders, the operating commitment is that assignment cadence holds across inflow shape, organisational change, and audit cycles. For vulnerability management teams, the discipline is that the unassigned queue and the per-source MTTA decomposition stay current as the operating record. For GRC and compliance teams, the assignment cadence policy reads as audit evidence against ISO 27001 A.8.8, SOC 2 CC7.1, PCI DSS 11.3, NIST 800-53 RA-5, NIST CSF 2.0 ID.RA, DORA Article 24, and the CISA CPG vulnerability discovery goal.

How the engagement record carries the assignment clock

Assignment cadence gets cleaner when the finding, the asset binding, the named owner, the create event, and the assignment event live on the same engagement record the operational work lives on, rather than on a static spreadsheet that diverges from operational reality after the next change event. The platform does not write the assignment cadence narrative for the team; it does make every audit query for assignment cadence reproducible from the live record at any moment between assessments.

SecPortal pairs every finding, asset binding, remediation action, retest, exception, and closure to a versioned engagement record through findings management, which holds the owner field, severity band, CVSS vector, source pipeline, and remediation status on the finding rather than in a separate spreadsheet. The activity log captures the timestamped create event and the timestamped assignment event by named actor with CSV export, so the per-finding MTTA, the per-severity MTTA distribution, and the auto-assignment effectiveness rate all reconstruct from the same source rather than from spreadsheet output. Team management with role-based access supplies the active workspace user record (owner, admin, member, viewer, billing roles) that the owner field references, so departed users surface as inactive references rather than as silent stale data and the assignment cadence ties to the active roster.

Notifications and alerts route assignment events to the named owner so the assignment is visible at the moment it happens and the post-assignment handoff timer can start cleanly. Scheduled scans on a daily, weekly, biweekly, or monthly cadence produce dated inflow so the after-hours and weekend MTTA windows decompose cleanly from the inflow timestamp. Engagement management groups findings to a versioned engagement record so the per-engagement MTTA stays consistent across the lifecycle. Compliance tracking maps findings to ISO 27001, SOC 2, Cyber Essentials, PCI DSS, NIST, and additional framework catalogues with CSV export so the per-framework assignment-cadence citation reads against the same finding record.

For internal security teams, the operational reality is that the next critical finding lands in front of a named actionable owner before the SLA clock advances meaningfully. For security operations leaders, the assignment-cadence dashboard reads on the same operating record as the rest of programme reporting, so the cycle-time conversation lands on the right segment rather than on the composite.

Conclusion

Security finding mean time to assignment is the pre-triage segment most enterprise vulnerability programmes do not instrument and do not report. Bundled into MTTR, it looks like remediation latency; measured separately, it can consume a third or more of the cycle time on critical findings at programmes with a routing-primitive coverage gap or a saturated manual-triage queue. Six canonical drivers (routing-primitive fall-through, manual-triage backlog, cross-team escalation latency, after-hours and weekend inflow, inflow burst, severity-mismatch deferral) produce the bulk of the variance, and each driver has its own detection signature and its own remediation pattern.3,5,7,9

Treating assignment as a measured operational discipline rather than as an embedded assumption inside the cycle-time composite is the highest-leverage move in vulnerability programme operations after the ownership and routing-rule disciplines themselves. It separates the intake-and-routing cadence from the engineering remediation cadence, it produces audit citations that read as defensible assignment timelines, and it surfaces structural lag before it shows up as a missed SLA on engineering or as an audit-week finding on the assignment-cadence policy. The platform you use does not have to write the assignment cadence for you. It does have to make the assignment segment observable from the live record at any moment between assessments.

Assignment is one of three segments a defensible cycle-time record carries. The companion security engineering handoff latency research covers the second segment from named assignment to engineering acknowledgement and triage; the companion vulnerability remediation throughput research covers the third segment from acknowledged ownership to verified closure; and the security finding routing rule economics research covers the per-rule cost structure that drives the auto-assignment effectiveness rate this research reads against.

Frequently Asked Questions

Sources

  1. AICPA, SOC 2 Trust Services Criteria (TSC) 2017 with 2022 Revisions
  2. ISO/IEC, ISO 27001:2022 Information Security Management Systems
  3. ISO/IEC, ISO 27002:2022 Information Security Controls (Annex A 8.8 Vulnerability Management)
  4. PCI Security Standards Council, PCI DSS v4.0 (Requirements 6.3 and 11.3)
  5. NIST, SP 800-53 Revision 5: Security and Privacy Controls (RA-5, SI-5, IR-4)
  6. NIST, SP 800-40 Revision 4: Guide to Enterprise Patch Management Planning
  7. NIST, Cybersecurity Framework (CSF) 2.0 (ID.RA, DE.AE, RS.AN)
  8. NIST, SP 800-137 Information Security Continuous Monitoring (ISCM)
  9. CIS, Critical Security Controls v8.1 (Safeguards 7.1 through 7.7 and 17.4)
  10. European Union, Digital Operational Resilience Act (DORA) Article 9 and Article 24
  11. CISA, Cybersecurity Performance Goals (CPGs) v2.0 (Goal 2.B Vulnerability Discovery)
  12. CISA, Binding Operational Directive 22-01 Known Exploited Vulnerabilities
  13. FIRST, Common Vulnerability Scoring System (CVSS) Specification
  14. HHS, HIPAA Security Rule (164.308(a)(1)(ii)(D) Information System Activity Review)
  15. SecPortal, Findings Management
  16. SecPortal, Activity Log
  17. SecPortal, Team Management and RBAC
  18. SecPortal, Engagement Management
  19. SecPortal, Notifications and Alerts
  20. SecPortal Research, Security Engineering Handoff Latency
  21. SecPortal Research, Security Finding Routing Rule Economics
  22. SecPortal Research, Security Finding Ownership Decay

Measure assignment cadence on the live engagement record

SecPortal keeps findings, named owners, timestamped create and assignment events, and the activity log paired to one versioned engagement record so each audit query for assignment cadence regenerates from the live record rather than from a stale per-engagement export.

Start freeSee findings management