Time to Patch Critical Vulnerabilities
Average time between critical vulnerability discovery and successful patch deployment.
Current Value
5.2 days
-1.3 days from previous period
Industry average: 9.4 days
Calculation Method
For each critical vulnerability: (Patch Completion Date - Vulnerability Discovery Date) / Total critical vulnerabilities
Significance
This KPI measures how quickly your organization addresses critical security vulnerabilities, reducing the window of opportunity for attackers to exploit known weaknesses.
Definition
Time to Patch Critical Vulnerabilities measures the average time taken from when a critical security vulnerability is identified to when it is successfully patched across all affected systems.
Significance
The time window between vulnerability disclosure and patch deployment represents a critical period of elevated risk. During this time, attackers can develop and deploy exploits against known vulnerabilities.
Faster patching of critical vulnerabilities significantly reduces security risk exposure. Organizations with mature vulnerability management programs typically have shorter patch times for critical vulnerabilities.
Calculation Method
For each critical vulnerability: (Patch Completion Date - Vulnerability Discovery Date) / Total number of critical vulnerabilities
Note: This should be tracked separately for different types of systems (e.g., internet-facing vs. internal systems) and should exclude approved exceptions with compensating controls.
Benchmark
Industry average: 9.4 days for critical vulnerabilities
Best practice targets: <72 hours for internet-facing systems; <7 days for internal systems