Mean Time to Remediate Is Not a Fielding Model: A Cadence Audit for Enterprise Vulnerability Management
Abstract
Enterprise security teams commonly summarize remediation through mean time to remediate (MTTR), SLA compliance, dwell time, or detection delay.
These metrics are useful, but they can hide how fixes actually reach the estate: continuously, through scheduled maintenance windows, in deployment rings, or through emergency bypass paths.
This paper introduces a remediation-cadence audit for enterprise vulnerability management.
The audit records routine mean lag, release period, release fraction, cohort geometry, emergency/routine split, non-fielding delay, local residual-pressure evidence, and declared rate scenario.
It compares a continuous same-mean shortcut with the recorded release calendar and reports a local capacity verdict plus a calendar discount: the fraction of mean-only local capacity consumed by calendarized fielding.
Worked notional packets with the same 30-day mean lag show why this matters.
Under the normalized screening scenario, a two-month release train consumes 17.4\% of mean-only capacity, a monthly train 5.2\%, and a two-week screen 1.3\%; across a 16-fold attacker-adjustment rate band, the two-month discount remains at least about 12\% and the monthly discount stays in the resolution-sensitive 3--8\% range.
The audit therefore turns cadence assessment into an evidence-resolution question: when the discount is material relative to residual-pressure uncertainty or claimed headroom, MTTR/SLA should not be used alone as fielding evidence.
Release-geometry checks show that deployment rings do not automatically recover the continuous benchmark, and cohort staggering can help or hurt near capacity.
The result is a reproducible governance diagnostic, not a breach predictor or CVE prioritizer.
이 뉴스, 어떠셨어요?
한 번의 탭으로 반응을 남겨요 · 로그인 불필요