SLAs & Reporting · Managed VM

Your
board sees a
transformation
you can prove.

You drove the change. Mondoo brings the muscle. Our SLAs give you a clock you can plan around; our Executive Reports give you a story your board can see.

Talk to our team See a sample executive report

60%

avg. risk reduction in the first chapter · Mondoo customers, FY26

Outcomes Over Reports

Resolution is the point. Reporting just makes it visible.

Most vulnerability tools stop at detection and call it a day. Mondoo is built to transform programs — to actually shrink the backlog, eliminate the dangerous CVEs, and accelerate MTTR. Both SLAs and Executive Reports exist because the same thing matters: vulnerabilities getting fixed.

You plan around real numbers

Trending CVEs land in your tickets within one business day of confirmed detection. Not a vague best-effort — a contractual lead time, with credits if it slips. Your team builds sprints around a known cadence.

1 business day · Trending CVE SLA

Your team works on real findings

95% of Trending CVE tickets are validated, reachable, and worth your engineers' time. False positive rate above 5% in any month, and you're owed a credit. Your team stops chasing noise and starts shipping fixes.

≥95% actionable · accuracy target

Your board sees the transformation

The quarterly board prep that used to eat your week — built from your live data, scheduled to your inbox. Your CISO moment, generated, not assembled.

Monthly · auto-delivered

Operational Performance Commitments

Numbers You Can Build A Sprint Around.

The same commitments that appear in our Managed Vulnerability Service Level Agreement — pulled out of the legal exhibit so you can read them without a redline pen. Dependability is one of our values, so we put the bar where you can hold us to it.

Finding Type	Service-Level Commitment	Coverage Window
Trending CVE	1 business day from confirmed detection	Business hours
All other vulnerabilities	Delivered via the rolling pipeline	Business hours
SSL/TLS certificate expiry	Notification ≥ 30 days before expiration	Continuous
Software end-of-life	Notification ≥ 90 days before vendor EOL	Continuous

BUSINESS HOURS: 09:00–17:00 GMT+1 · MON–FRI · EXCL. DACH PUBLIC HOLIDAYS

Finding Accuracy Target

95%

of Trending CVE tickets will be actionable.

If you can demonstrate that more than 5% of Trending CVE tickets in a calendar month were false positives, you're eligible for a service credit. The bar is on us, not on you.

If We Miss

CREDIT / MISS CAP 20%/MO

Every Trending CVE delivered late earns you a 1% credit on the monthly Managed Service Fee. An accuracy miss earns a flat 1% credit. Submit within 30 days of month-end.

How We Work

A rolling pipeline, sized to your team.

Programs fail when the queue overwhelms the people closing tickets. So during onboarding we agree on a Work-In-Progress limit per system owner per sprint cycle. Findings beyond that limit go to a prioritized backlog and release as capacity opens. Your engineers see a steady, finishable stream of validated work — the backlog actually shrinks.

Detect & validate

Mondoo scans your inventory continuously and validates findings — reachable, exploitable, worth fixing. Noise gets cut before it ever reaches your team.

Prioritize against threat intel

We flag what's actively exploited, trending in the wild, or named in agency directives. Those CVEs jump the queue and trigger the 1-business-day SLA.

Package & deliver

We build the work package — ticket, guidance, Ansible or PowerShell snippet, or a pull request — and push it into your ticketing or git workflow.

You ship. Your board sees it.

Your team closes the tickets. The work feeds your monthly executive report. Your leadership sees the transformation in numbers.

Proactive Monitoring Horizons

Eliminate the risks you can see coming.

Some problems have known expiry dates — we just need a calendar. For lifecycle events you can plan around, Mondoo commits to advance notification windows long enough for your team to actually do something about them.

SSL/TLS certificate expiry

days

before any monitored cert expires

We watch the endpoints on your Customer-Supplied Certificate List. You decide what's in scope; we make sure none of it lapses without you knowing.

Software end-of-life

days

before a vendor pulls support

Where vendor data is publicly available and the asset is in your inventory. Long enough to plan a migration, short enough to land in this fiscal year.

Executive Reports

Your board chapter, generated — not assembled.

You used to spend a week every quarter translating program data into board slides. That ends. Mondoo Executive Reports turns the transformation your program is delivering into the chapter you'd otherwise build by hand — risk, velocity, compliance maturity, and business-unit variance, all in one place, sourced from your live data. Use your existing tools for identity, AppSec, incident, and SOC reporting. We'd rather you nail one chapter than scatter across five.

One story, not five

You tell one story

One chapter, one source of truth. You stop stitching dashboards into slides at 11pm the night before the board meeting.

The transformation slide

You show what got done

Risk reduction, throughput gain, hours saved vs. the prior period, formatted for finance. The slide that answers the board's real question — and the one that gets you recognized.

Debt + maturity, together

You pay down and build up at once

Vulnerability debt and compliance maturity in the same view. The board sees what you're eliminating, what you're building, and how those trade off.

What's In Your Chapter

Seven sections, one chapter.

Click a section to preview →

Q1 2026 Board Chapter · Acme Corp · Live preview

02 · Section preview

Detected vs. resolved, cumulatively.

Detected

Resolved

Remaining

~280K · 100%

02 · Section preview

Cumulative Vulnerability Debt

Detected vs. resolved, cumulatively.

2 / 7

Detected

Resolved

Remaining

~280K · 100%

Workflow

Generate, export, schedule.

Four-step wizard

Renders in seconds.

Name org

Pick spaces

Choose frameworks

Set targets

Export

One click for the whole deck.

Drop it into your house template. Or export a single slide as PNG or .pptx for embedding in an existing deck.

PowerPointPNGMarkdown

Recurring delivery

Lands in the right inboxes.

Daily, weekly, or monthly to a distribution list. Without anyone generating it by hand.

DailyWeeklyMonthly

Transformation Summary

What did we get for what we spent.

Anonymized customer · 12,400 assets · 4-engineer team · 6 months

Annual savings

$0.0M

in labor costs

Weekly hours saved

0hrs

62 → 8 hrs/wk

Backlog cleared

~790K criticals · zero remaining

Risk reduction

Risk score 92 → 21

Transparency & Control

What we deliver. What you own.

Mondoo runs your vulnerability management program. You retain 100% control over remediation decisions — we suggest and explain, you approve and ship. Here's exactly where the line sits, so there are no surprises.

What Mondoo Delivers

The muscle behind the program.

Validated, prioritized, deduplicated findings — risk in your environment, not generic CVSS.
Trending CVE alerts within one business day of confirmed detection.
Pre-emptive notification on certificate and end-of-life lifecycle events.
Work packages — code snippets, Ansible scripts, pull requests — pushed into your ticketing or git workflow.
Monthly executive reporting that turns the work into a story your board can read.
Throughput tuned to your team during onboarding so vulnerabilities actually get eliminated.

What You Stay In Control Of

The keys stay with you.

Every remediation decision. We suggest and explain; you approve and ship.
Reviewing, testing, and deploying remediation code in your environment.
Hands-on-keyboard changes inside your production systems.
Your asset inventory and certificate list — the scope we monitor against.
24×7 incident response and live IR — your existing SOC and IR tools own that.
Identity, AppSec, and general IT ticket triage — separate domains, separate tools.

Partnership Inputs

Four things from you, and the SLAs are real.

Our commitments work for assets we can see, on a list you keep current, with access we can use, and a place to push the tickets. Skip any of these and the SLAs pause for the affected assets — not as a loophole, but because we can't deliver results on infrastructure we can't reach.

01 · Asset inventory

Maintain an accurate list of in-scope assets in the platform. We monitor what you tell us to monitor.

02 · Certificate list

Provide and maintain the list of endpoints you want under certificate monitoring.

03 · Network access

Ensure our scanners and agents have the network access they need. Firewalls that block scanning will pause SLAs for affected assets.

04 · Ticketing integration

Maintain a working integration to your ticketing system so we can push work packages directly into your team's queue.

On remediation guidance

You keep the keys.

Every remediation work package — every script, every config snippet, every Ansible block, every pull request — is yours to review, test, and ship. Mondoo suggests and explains; you approve and deploy. We don't reach into your production systems on our own. That isn't a limitation; it's a value. Transparency and control mean you decide what changes and when.

Ready When You Are

Stand in front of your board with a 60% reduction.

We'll size the WIP limit to your engineers, configure your asset and certificate inputs, and stand up your first executive report inside the first month. You drive the program. We bring the muscle.

Talk to our team →View a sample executive report →

Yourboard sees atransformationyou can prove.