CAXA Technologies Security Operations Series: Vulnerability Management At a recent client, the vulnerability management programme had everything it was supposed to have: a well-integrated scanner, EPSS enrichment, tools existed to aggregate findings with SLA classifications attached. The MTTR numbers were poor. Not because the findings were wrong. Because no engineering team owns the SLAs. The security team was chasing fixes across squad boundaries with no escalation path.

Your vulnerability backlog is not one number. It is at least nine. Here are the three segmentations that make it a usable security metric.