Penetration Test Findings Closure Rate

Percentage of identified security vulnerabilities that have been remediated

Current Value

93.7%

+4.5% from previous period

Industry average: 78%

Calculation Method

(Number of closed findings / Total findings) × 100%, tracked by severity level and age

Significance

This KPI measures how effectively your organization addresses security vulnerabilities identified through penetration testing and red team exercises, indicating the maturity of your vulnerability management process.

Definition

Penetration Test Findings Closure Rate measures the percentage of security vulnerabilities identified through penetration tests, red team exercises, and other security assessments that have been successfully remediated or mitigated. This KPI reflects the organization's ability to effectively address known security gaps.

Significance

Penetration tests and red team exercises identify real-world security vulnerabilities that could be exploited by attackers. The speed and thoroughness with which these findings are addressed directly impacts the organization's security posture and risk exposure.

This KPI helps security teams track remediation progress, identify bottlenecks in the vulnerability management process, and ensure that critical security gaps are addressed within defined SLA timeframes.

Calculation Method

The basic calculation is:

  • Overall closure rate: (Number of closed findings / Total number of findings) × 100%
  • Critical/high findings closure rate: (Closed critical+high / Total critical+high) × 100%
  • Findings closed within SLA: (Findings closed within SLA / Total findings) × 100%
  • Average age of open findings: Sum of days open for all findings / Number of open findings

Findings are typically tracked by:
• Severity level (Critical, High, Medium, Low)
• Age (time since discovery)
• Type (e.g., misconfiguration, missing patch, access control issue)
• Status (open, in progress, mitigated, closed, accepted risk)

Current Performance

Closure Rate by Severity

Age of Open Findings

Our overall findings closure rate has improved from 89.2% to 93.7% over the past 12 months.
• Critical findings: 100% closed (15/15)
• High findings: 98.3% closed (58/59)
• Medium findings: 92.1% closed (105/114)
• Low findings: 88.6% closed (101/114)
• Average age of open findings: 37 days (down from 52 days)

Benchmark

Industry average: 78% overall closure rate

Best practice targets:
• Critical findings: 100% closed within 30 days
• High findings: 100% closed within 60 days
• Medium findings: >90% closed within 90 days
• Low findings: >80% closed within 180 days

Related KPIs

Vulnerability Management
Time to Patch Critical
Security Control Coverage