Vulnerability State Machine Throughput Decomposition

The state machine is the unit of analysis

Every enterprise vulnerability programme already runs a state machine, whether or not the operating model documents it that way. A finding does not move from open to closed in one step; it transits through triage, ownership assignment, remediation work, fix deployment, retest validation, and administrative closure, each with its own owner, its own queue, and its own dwell time. The aggregate throughput number collapses six or seven transitions into one ratio and loses the signal that says which transition is the bottleneck. The decomposition is the inverse: read the rate at which findings enter each state, the rate at which they leave, the depth of the queue inside the state, and the dwell-time distribution per state.

The state machine that matters for an enterprise programme has seven primary states. A finding appears in the new state when the scanner output, pentest report, bug bounty submission, or disclosure intake reaches the workspace. It moves to the triaged state when severity, asset binding, validity, and category are confirmed. It moves to the assigned state when a remediation owner accepts the finding. It moves to the in-remediation state when the owner picks the work up. It moves to the in-retest state when the deployed fix is queued for verification. It terminates in the closed-remediated state on a verified retest pass, or in the closed-exception state on the recorded eight-field override decision. The exact state names are negotiable; the discipline that every finding occupies exactly one state at any moment and every transition is recorded with timestamp and named user is not.

The vulnerability remediation throughput research establishes throughput as the closure half of the inflow-versus-closure ratio. The vulnerability program data model research establishes the record schema that makes per-state queues observable in the live engagement workspace rather than reconstructed from CSV exports at audit week.^26,29

The seven primary states and the transitions between them

The named state set has to be small enough that every operator carries it in their head and large enough that every transition with a real dwell-time signature is its own state. Seven states sits at the equilibrium for most programmes. Some programmes add subtate granularity (in-investigation between triaged and assigned, in-change-window between in-remediation and in-retest) when the additional state produces operational signal that the simpler model collapses; others collapse intermediate states when the traffic between them is negligible.

Per-state ownership is the load-bearing record. Programmes that route every state to a single team queue collapse the ownership signal and lose the diagnostic that says which queue is the binding constraint. The cross-team finding ownership transfer latency research covers the dwell time that accumulates inside the assignment transition specifically when ownership rotates between teams.³⁰

Per-state arrival, exit, and queue-depth

The three measurements that decompose throughput per state are the arrival rate into the state (lambda), the exit rate out of the state (the transition rate to the next state for non-terminal states, or the closure rate into the audit-evidence ledger for terminal states), and the queue depth inside the state (L). The three are connected by Little's Law in steady state: L equals lambda times W, where W is the average waiting time inside the state. The implication is that the per-state queue depth at any moment is the product of the rate at which findings flow into the state and the average dwell time inside the state. A programme that wants to shrink the queue at a given state has to either slow the arrival rate (intake throttle, dedup discipline, scope narrowing), speed the exit rate (capacity expansion, automation, routing simplification), or both.^13,14

The vulnerability ingest versus remediation capacity research extends the paired-rate frame across the inflow side and the closure side simultaneously. The decomposition extends it further across every intermediate state so the capacity question becomes a per-state capacity question rather than a single capacity-versus-inflow comparison.²⁷

The vulnerability programme staffing and throughput economics research reads the staffing curve underneath the decomposition: each per-state transition is owned by one or two named role classes, and the per-FTE throughput envelope at that role class is what determines whether the transition is bandwidth-bound at the analyst layer or coordination-bound at the team layer. Reading the transition decomposition and the staffing curve together identifies both the binding transition and the role to add capacity at.

Per-state failure modes

Seven failure modes recur across the seven-state machine. Each is named, each has a per-state signature, and each is observable in the live record once the three measurements are reported per state. Reporting the aggregate throughput number obscures every one of them.

The vulnerability fix verification fidelity research covers the in-retest discipline that turns the reopened-loop signature from a recurring failure into a recoverable signal. The exception conversion economics research covers the closed-exception arrival pattern that the exception-drift signature exposes.^31,32

Per-state SLA targets and the end-to-end window

Per-state SLA targets are tighter than per-finding SLA targets because each state owns only a slice of the end-to-end window. CISA Binding Operational Directive 22-01 sets a 14-day end-to-end window for known exploited vulnerabilities; PCI DSS Requirement 6.3.3 sets a 30-day window for high-risk vulnerabilities; ISO 27001 Annex A 8.8 expects a programme-defined cadence justified by risk. The defensible per-state allocation breaks the end-to-end window into per-state slices that sum to less than the end-to-end target.^1,3,4

The slices add to less than the end-to-end window because the programme has to absorb queue-time at each transition and the change-window calendar on the platform side rarely lines up with the discovery date. The discipline is to publish per-state SLA targets at the same severity bands the end-to-end SLA is published against so the programme can read which state actually violates the end-to-end window when a finding ages out. The SLA breach aging distribution research covers the aging shape that per-state slices have to anticipate.²⁸

Per-state cycle-time distributions are heavy-tailed

Cycle-time distributions inside states that involve human decision-making, scheduled change windows, or third-party dependencies are heavy-tailed. Reporting only the median cycle time inside a state describes the experience of the median finding; reporting p50, p90, and p99 inside the state describes the tail risk and the SLA risk simultaneously. The defensible reporting pattern names the tail because the tail drives audit findings and customer escalations more often than the median, and the tail is where exception conversion and abandonment cluster.^14,15,16

Change windows distort cycle-time inside the in-remediation state and inside the in-retest state. A weekly production change window with a freeze on the rest of the week produces in-remediation cycle-time distributions clustered at one-week increments, regardless of the underlying remediation work. The defensible diagnostic is to overlay the per-state cycle-time histogram against the change-window calendar so the distortion is visible and the budget conversation about change-window relaxation has the right evidence.

Closed-exception and reopen interact with the headline number

Both terminal states (closed-remediated, closed-exception) and both reopen paths (closed-remediated to new on rediscovery, closed-exception to triaged on override expiry) interact with the headline closure number in ways the aggregate throughput report cannot disentangle. The decomposition treats them as distinct arrivals and reports them separately at every severity band.

Closed-exception arrivals are administrative closes that move a finding into the audit ledger via the eight-field override decision chain (override class, manual severity, exception rationale, approver, scope, expiry, evidence pointer, version stamp) rather than via a verified retest. Treating closed-exception arrivals as equivalent to closed-remediated arrivals inflates the closure rate by the volume of risk acceptance decisions. The audit committee read on exception arrivals is fundamentally different from the audit committee read on remediated arrivals.

Reopen arrivals are arrivals back into the new-state queue or the triaged-state queue from a terminal state. They arrive because retest discovered the fix did not close the finding, recurring detection saw the finding regenerate, the underlying asset was restored from backup, the deployed compensating control failed, or the original triage classification was overturned during post-mortem. The defensible reporting pattern treats reopen arrivals as a distinct arrival class so the new-state lambda can be decomposed into fresh detection inflow versus reopen inflow. Programmes that report reopen rate per terminal state read whether the closure discipline is durable and which terminal state has the durability problem.

The vulnerability reopen rate research covers the durability question per terminal state in more depth. The risk acceptance decay rate research covers the closed-exception path from acceptance to override expiry.

Eight audit reads that survive scrutiny

The decomposition becomes audit-defensible when the live state record carries the eight reads listed below. Each is reported at the same severity bands the SLA is written against, and each is reproducible at any moment between audits rather than only at audit week. SOC 2 CC4.1 monitoring of controls, ISO 27001 Clause 9.1 monitoring and Annex A 8.16 monitoring activities, NIST CSF 2.0 GV.OV oversight, NIS2 Article 21 cybersecurity risk management measures, and DORA Article 9 protection and prevention each expect a recurring read of the operating state rather than an at-audit-week reconstruction.

The eight reads compose into the management review pack the leadership view samples between assessments. The audit evidence half-life research covers the rate at which artefacts age out of audit defensibility; the per-state decomposition is the artefact set that has the longest half-life because it derives from the live record rather than from a cycle-end report.

Four maturity stages on the way to decomposed throughput

Programmes do not start with the eight reads. They arrive at them through a maturity progression. Naming the stage the programme is at right now is the first step toward investing in the next.

For security leadership, AppSec, GRC, and audit committees

The decomposition serves different stakeholders differently. Security leadership reads the per-state queue trends to plan capacity allocation between triage, ownership routing, remediation, and retest. AppSec teams read the per-state cycle-time tails to choose between platform investment, automation, and process change as the lever for shortening the tail. GRC teams read the closed-exception arrival rate and the exception register currency to write the audit narrative. Audit committees read the per-state SLA breach count and the reopen rate per terminal state to judge whether the closure discipline is durable. Each stakeholder reads the same record at a different cut.

The shared discipline is that the operating record carries the decomposition rather than the report. The remediation tracking workflow covers the live-record discipline that holds the per-state owners, transition timestamps, and override decision chain together. The security leadership reporting workflow covers the per-cadence read the executive surface samples from that record.

How SecPortal supports state machine throughput decomposition

SecPortal pairs every finding to a versioned engagement record with a status group field (active, fixed, accepted_risk, false_positive) and a severity field (info, low, medium, high, critical), so the per-state queue depth on any reporting date is a query against the live record rather than a reconstruction from cycle-end exports. Findings management captures CVSS 3.1 vector, severity band, owner, evidence, and remediation status. The activity log captures every state change as a named-actor entry with timestamp, with retention windows of 30, 90, or 365 days set by workspace plan; the entry covers the lifecycle for finding, engagement, scan, document, comment, invoice, and team entities.

Finding overrides record the eight-field decision chain for closed-exception transitions (override class, manual severity, exception rationale, approver, scope, expiry, evidence pointer, version stamp), so the closed-exception arrival rate is queryable next to the closed-remediated arrival rate without conflation. Retesting workflows pair retest records to original findings so the in-retest queue and the reopen rate per terminal state are observable on the same record. Bulk finding import accepts .nessus, .xml, and .csv intake so third-party scanner output joins the same state machine on the same record rather than running on a parallel ledger.

Continuous monitoring schedules run daily, weekly, biweekly, and monthly cadences so the new-state arrival curve is queryable across cycles. Compliance tracking maps findings to ISO 27001, SOC 2, PCI DSS, and NIST frameworks with CSV export, so the eight audit reads carry framework citations that survive review.

Honest scope. SecPortal does not push state-change events into Jira, ServiceNow, Slack, SIEM, SOAR, or GRC platforms; the discipline runs as a query against the live engagement record rather than as an automation between separate consoles. SecPortal does not provide enterprise SSO, SCIM, or SAML, does not provide automated risk-acceptance approval routing, does not ship a CMDB or asset-inventory synchronisation, and does not assign per-state SLA targets for the programme. The platform makes the state record, the transition timestamps, the override chain, and the retest evidence queryable on one record so the decomposition is reproducible at any moment between audits.

Conclusion

Aggregate throughput is the wrong unit because it collapses six or seven transitions into one ratio and hides which transition is the binding constraint. Decomposing throughput per state turns the operational picture from a slogan into a diagnostic that names the next intervention. The seven-state machine is small enough to operate, large enough to carry the signal, and the three per-state measurements (arrival, exit, queue depth) compose into the eight audit reads that survive scrutiny when the live record holds them. The discipline is not new tooling; it is naming the states, recording the transitions on one record, and reading the three numbers per state at every reporting cadence.

The programmes that arrive at audit week with the eight reads already reproducible from the live record spend the week defending operating-state decisions instead of reconstructing them from spreadsheets. The programmes that arrive without the decomposition spend the week explaining why the headline number looked fine while the binding constraint was somewhere the headline number could not see.

FAQ

Sources

1. CISA, Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
2. CISA, Known Exploited Vulnerabilities Catalog
3. PCI Security Standards Council, PCI DSS v4.0 Requirement 6.3.3
4. ISO/IEC, ISO 27001:2022 Annex A 8.8 Management of Technical Vulnerabilities
5. NIST, SP 800-40 Rev. 4: Guide to Enterprise Patch Management Planning
6. NIST, SP 800-53 Revision 5: RA-5 Vulnerability Monitoring and Scanning
7. AICPA, SOC 2 Trust Services Criteria CC7.1 Detection of Vulnerabilities
8. NIST, Cybersecurity Framework (CSF) 2.0
9. CISA, Stakeholder-Specific Vulnerability Categorization (SSVC)
10. FIRST, EPSS Exploit Prediction Scoring System Documentation
11. NIST, NVD National Vulnerability Database
12. NIST, SP 800-137 Information Security Continuous Monitoring (ISCM)
13. Little, J.D.C., A Proof for the Queuing Formula L = λW (Operations Research, 1961)
14. Kingman, J.F.C., The Single Server Queue in Heavy Traffic (Cambridge Phil. Soc., 1961)
15. NCSC, Vulnerability Management Guidance
16. OWASP, Vulnerability Management Guide
17. NIS2 Directive Article 21 Cybersecurity Risk Management Measures
18. DORA Regulation Article 9 Protection and Prevention and Article 17 ICT-Related Incident Management
19. SecPortal, Findings & Vulnerability Management
20. SecPortal, Activity Log & Workspace Audit Trail
21. SecPortal, Finding Overrides
22. SecPortal, Retesting Workflows
23. SecPortal, Continuous Monitoring
24. SecPortal, Compliance Tracking
25. SecPortal, Bulk Finding Import
26. SecPortal Research, Vulnerability Remediation Throughput
27. SecPortal Research, Vulnerability Ingest vs Remediation Capacity
28. SecPortal Research, SLA Breach Aging Distribution
29. SecPortal Research, Vulnerability Program Data Model and Record Design
30. SecPortal Research, Cross-Team Finding Ownership Transfer Latency
31. SecPortal Research, Exception Conversion Economics
32. SecPortal Research, Vulnerability Fix Verification Fidelity