Penetration Test Findings Closure Rate

Definition

Penetration Test Findings Closure Rate measures the percentage of security vulnerabilities identified through penetration tests, red team exercises, and other security assessments that have been successfully remediated or mitigated. This KPI reflects the organization's ability to effectively address known security gaps.

Significance

Penetration tests and red team exercises identify real-world security vulnerabilities that could be exploited by attackers. The speed and thoroughness with which these findings are addressed directly impacts the organization's security posture and risk exposure.

This KPI helps security teams track remediation progress, identify bottlenecks in the vulnerability management process, and ensure that critical security gaps are addressed within defined SLA timeframes.

Calculation Method

The basic calculation is:

• Overall closure rate: (Number of closed findings / Total number of findings) × 100%
• Critical/high findings closure rate: (Closed critical+high / Total critical+high) × 100%
• Findings closed within SLA: (Findings closed within SLA / Total findings) × 100%
• Average age of open findings: Sum of days open for all findings / Number of open findings

Findings are typically tracked by:
• Severity level (Critical, High, Medium, Low)
• Age (time since discovery)
• Type (e.g., misconfiguration, missing patch, access control issue)
• Status (open, in progress, mitigated, closed, accepted risk)

Current Performance

Benchmark

Industry average: 78% overall closure rate

Best practice targets:
• Critical findings: 100% closed within 30 days
• High findings: 100% closed within 60 days
• Medium findings: >90% closed within 90 days
• Low findings: >80% closed within 180 days

Related KPIs