SLA Clock Calculator

Calculate SLA timelines for vulnerabilities with dynamic criticality changes

Why Static SLAs Don't Work with VRM 3.0

The problem is that the changing of criticalities can wreak havoc on SLAs. If a vulnerability goes from a Low one day to a Critical the next, it makes it very difficult for teams to have plans and work towards goals over time. It's also very hard to have metrics. Here are some example scenarios we need to account for:

Critical vulnerability becomes a low so the work that a system owner has done doesn't look as good even if the work to patch or fix the vulnerability was a high level of effort.
60 day old medium vulnerability goes up to a critical making it look like everyone is over SLA for all of the affected systems. This makes them look bad to leadership even if they start rushing to fix it.
Medium vulnerability goes up to critical for a week and then back down to a medium. This accounts for if the plan would be to reset the SLA with each change in criticality how it could be a never ending reset as fluctuations continue to change the criticality.

Grace Period Matrix

Original → New	Grace Period
Low → Medium	14 days
Low → High	10 days
Low → Critical	7 days
Medium → High	10 days
Medium → Critical	7 days
High → Critical	5 days

Pros

Teams get fair warning to respond
Acknowledges that escalation is new information
Relatively simple to implement

Cons

Still creates crunch if many vulns escalate
Doesn't address the "Critical → Low" effort problem
Grace periods are somewhat arbitrary

Grace Period on Escalation

When a vulnerability's criticality increases, a grace period is granted from the escalation date before SLA breach applies.

Original Criticality

New Criticality (Escalated To)

Days at Original Criticality

Grace Period Results

Grace Period

7days

Days at Original

60days

Total Time Until Breach

67days

Clock Speed Multipliers

Criticality	Clock Multiplier	Effective Days per Calendar Day
Critical	1.0x	1.0
High	0.5x	0.5
Medium	0.25x	0.25
Low	0.1x	0.1

Pros

Mathematically fair across transitions
Responds to risk without retroactive punishment
No gaming possible
Accurately reflects cumulative risk exposure

Cons

Very complex to implement
Hard to explain to leadership
Requires custom tooling
"SLA days" is a foreign concept

Time-Weighted SLA Clock

The SLA clock runs at different speeds based on current criticality. Time accumulates faster at higher criticalities.

Universal SLA Threshold (SLA Days)

Vulnerability Timeline

Criticality

Calendar Days

Clock Speed

Time-Weighted Results

Total Calendar Days

45days

Accumulated SLA Days

15.0days

SLA Status

In Compliance

This calculator helps visualize how dynamic SLA approaches can handle changing vulnerability criticalities. Both methods aim to balance urgency with fairness.