A completable programme design document: ownership RACI, SLA structure, exception framework, and escalation paths for an audit-defensible VM programme.

CAXA Technologies Security Operations Series: Vulnerability Management At a recent client, the vulnerability management programme had everything it was supposed to have: a well-integrated scanner, EPSS enrichment, tools existed to aggregate findings with SLA classifications attached. The MTTR numbers were poor. Not because the findings were wrong. Because no engineering team owns the SLAs. The security team was chasing fixes across squad boundaries with no escalation path.