In our 2025 State of Vulnerability Remediation Report, we found that only 60% of respondents measure SLAs, and of those that do, 65% need to track them manually in spreadsheets. In this blog, learn about the importance of SLAs and how Mondoo can help you set and manage SLAs for your entire IT infrastructure - and even more importantly, meet them.

What are SLAs in Vulnerability Management?

SLAs are essentially agreements that define the level of service expected by a customer from a provider. In the context of vulnerability management, the ‘customer’ is your organization, and the ‘provider’ is the security team and platform engineers.

SLAs for vulnerability MTTRs (Mean-Time to Resolution) outline the timeframes within which the vulnerability needs to be patched or remediated based on their severity. It’s important that SLAs are realistic, differ per criticality, and measurable through automated processes. There’s no point in adding to the workload of already overworked security teams by making them calculate MTTRs using spreadsheets - time that instead they could be spending on actually securing the environment.

Why do you need to set MTTR SLAs?

There are five main reasons why you should set and track SLAs as part of the vulnerability management process:

#1. Time to exploit is rapidly decreasing

Threat actors are exploiting vulnerabilities faster than ever. With the help of AI, attackers can move much faster and can now launch attacks in record times. Mandiant reports that whereas the Average Time-to-Exploit in 2022 was 32 days, in 2024, it was less than 24 hours. By setting clear timeframes, SLAs drive faster response times to vulnerabilities. This reduces the window of opportunity for attackers to exploit weaknesses and breach your environment.

#2. Enforce remediation prioritization

By defining and keeping teams accountable for SLAs that are based on the severity of vulnerabilities (e.g., critical, high, medium, low) you can ensure that the focus stays on fixing the most critical vulnerabilities first. This means that remediation efforts will be optimized and bad actors will have less opportunities to breach the environment. Even if attackers are able to get access, the potential impact will be kept to a minimum.

#3. Achieve compliance

Compliance frameworks like NIS2, ISO 27001, NIST Cybersecurity Framework (CSF), PCI DSS 4.0 (Payment Card Industry Data Security Standard) - see section 6.3.3, HIPAA (Health Insurance Portability and Accountability Act), and SOC 2 (System and Organization Controls) all implicitly or explicitly require organizations to establish SLAs for vulnerability remediation based on their severity level. It’s highly likely that in the future more and more compliance frameworks will start setting explicit SLA requirements.

#4. Foster collaboration

Friction between security teams and platform engineers over remediations often arises due to differing priorities and perspectives. Security teams focus on risk mitigation and compliance, while platform engineers prioritize system stability, performance, and development velocity. Poor communication, unclear prioritization, and lack of automation in security processes further exacerbate the tension, sometimes making collaboration challenging.

SLAs can help alleviate this friction by creating a shared understanding of roles and responsibilities. Everyone knows what's expected of them, when it’s due, and why it’s needed. This fosters accountability and a common goal for security teams and platform engineers, ensuring that vulnerabilities are addressed promptly and effectively. 

#5. Report to management

Some organizations measure vulnerability management performance by looking at the total number of vulnerabilities patched. While this is an important number, it doesn’t take into account the speed with which they are remediated.

Instead, MTTR SLA reports provide visibility into how fast issues are being remediated for each risk level, which is the most important metric for improving security. With regular SLA reporting, organizations can track remediation progress, identify bottlenecks, and make informed decisions.

How do Mondoo MTTR SLAs work?

The Mondoo SLA vulnerability management process consists of five stages:

1. Scope

The first step is to set the required timeframes for remediation based on the priority level of vulnerabilities (critical, high, medium, and low). This remediation timeframe is calculated from when the vulnerability is detected to when it is remediated and verified. You can set the time frames as required by your compliance frameworks and industry standards - and what is realistically attainable for your team. For instance, general industry standards agree on 14 days for critical vulnerabilities, 30 days for high, 60 days for medium, and 90 days for low. PCI DSS 4.0 standards require 30 days for critical and high vulnerabilities, and allow you to set your own standards for medium and low risk vulnerabilities.

Mondoo also allows you to specify when you would like to be warned that vulnerabilities are in danger of missing their SLA.

2. Track

Mondoo automatically tracks SLAs and will display SLA status in the dashboard, showing the following per risk category:

• Current average MTTR
• Required MTTR SLA as configured in settings
• # Findings nearing SLA date
• # Findings past SLA date

3. Warn

By clicking on the SLA box in the dashboard, you can view the details of the findings that are nearing their SLA date, and those that have passed it. Mondoo makes it easy to take immediate action on these findings by selecting ‘Take Action’ directly from the list.

4. Fix

The ultimate goal of SLAs is not just to set and track them, but to actually meet them. Therefore, Mondoo helps you fix vulnerabilities as fast as possible by offering:

• Ticketing integrations: Mondoo offers ticketing integrations for Jira, Zendesk, GitHub issues, GitLab issues, ServiceNow, Azure DevOps, and more. Unlike other tools that just offer fire-and-forget ticketing, Mondoo guides issues to resolution and accelerates MTTR by automating manual tasks, streamlining workflows, and providing actionable remediation information.

• Guided remediation and code snippets: For each finding, Mondoo provides full remediation steps and code snippets so issues can be fixed as quickly as possible, without having to first research solutions.

“Mondoo saves us on average 10 minutes per vulnerability by eliminating the need to research remediations and write the Ansible code ourselves.”

Karl Fischer, CIO at Obsidian Systems

• Agentic vulnerability patching: Mondoo can automatically generate a pull request in the Mondoo security pipeline to remediate vulnerabilities using Ansible, Terraform, or Intune. A platform engineer can then review the code and approve it with one click. If Mondoo has fixed a vulnerability that then reoccurs, Mondoo can automatically apply the remediation without requiring any human interaction. Utilizing this remediation method dramatically speeds up MTTR and reduces manual work.

5. Report

To show SLA performance to leadership and compliance auditors, Mondoo provides the SLA overview in the Mondoo dashboard that includes the average MTTR per risk level. In addition, you can export the list of findings nearing or past their SLAs to CSV to show more detail and prioritize fixing outstanding issues.

Conclusion

SLAs are powerful tools that can significantly enhance vulnerability management because they make teams focus on the most important thing - not just detecting the most critical vulnerabilities, not just remediating them, but remediating them before they’re exploited. Schedule a demo to learn more about how Mondoo can help you build your SLA strategy.

About Mondoo

Mondoo eliminates vulnerabilities, not just categorizes them. Global enterprises trust Mondoo to prioritize risks by business impact and exploitability through its patented AI-native security model that collects structured, context-aware data from the entire IT infrastructure. Mondoo’s customers have reduced vulnerabilities and policy violations by 60% and significantly reduced MTTR. With seamless ITSM integrations and transparent security pipelines, Mondoo enables autonomous remediation and continuous compliance. Mondoo bridges the gap between security and engineering, delivering intelligent recommendations and actionable insights to fix the vulnerabilities that matter most to the business.