CalcEngine All Calculators

Vulnerability Response Time Calculator

General

Enter a discovery date, remediation date, and SLA target to instantly see whether your team met the patch deadline. Works for Critical (1-day), High (7-day), Medium (30-day), and Low (90-day) severity classifications.

Last updated: April 2026

This calculator is designed for real-world usage based on typical engineering scenarios and publicly available documentation.

A vulnerability response time calculator measures the elapsed calendar days between when a security flaw is discovered and when a patch or mitigation is applied. Security teams use this metric to enforce SLA compliance under frameworks like CVSS, NIST SP 800-40, and ISO 27001. Response time targets are determined by severity. Industry baselines treat Critical vulnerabilities as a 1-day SLA, High as 7 days, Medium as 30 days, and Low as 90 days. Breaching these windows increases exploitation risk — the majority of weaponized CVEs are exploited within 7 days of public disclosure, so slow remediation directly widens the attack surface. This calculator is useful for vulnerability management programs, security operations centres (SOCs), DevSecOps pipelines, and compliance audits. Feed it the timestamp your scanner flagged a finding and the date your team shipped a fix to instantly determine whether you met the SLA or how many days overdue the response was. For tracking SLA targets across your full CVE inventory rather than individual findings, pair this tool with the Patch SLA Calculator. For a broader view of your unmitigated CVE exposure window, use the CVE Exposure Calculator.

How to Calculate Vulnerability Response Time

Vuln Response Time — how it works diagram

1. Enter the date your scanner or security team first identified the vulnerability in the Discovery Date field. 2. Enter the date your team deployed a patch, applied a mitigation, or confirmed remediation in the Remediation Date field. 3. Set the SLA Target (days) to your organisation's policy: Critical = 1 day, High = 7 days, Medium = 30 days, Low = 90 days. 4. The calculator subtracts the discovery date from the remediation date to get the actual response time in calendar days. 5. It compares the response time against your SLA target and reports whether the team met the deadline, and by how many days they were ahead or behind.

Formula

Response Time (days) = Remediation Date − Discovery Date  (calendar days)

SLA Target by Severity:
  Critical → 1 day   (actively exploited or CVSS ≥ 9.0)
  High     → 7 days  (CVSS 7.0–8.9)
  Medium   → 30 days (CVSS 4.0–6.9)
  Low      → 90 days (CVSS 0.1–3.9)

Days Over SLA  = Response Time − SLA Target
                 (negative = days ahead of deadline)
SLA Compliant  = Response Time ≤ SLA Target

Example Vulnerability Response Time Calculations

Example 1 — Critical CVE patched same day

Discovery:     Jan 15, 2026
Remediation:   Jan 15, 2026
Response Time: 0 days
SLA Target:    1 day  (Critical)
               ─────────────────
0 ≤ 1  →  ✓ Within SLA — 1 day to spare

Example 2 — High severity CVE with SLA breach

Discovery:     Mar 1, 2026
Remediation:   Mar 12, 2026
Response Time: 11 days
SLA Target:    7 days  (High)
               ─────────────────
11 > 7  →  ✗ SLA breached — 4 days overdue

Example 3 — Medium severity finding resolved within SLA

Discovery:     Feb 1, 2026
Remediation:   Feb 24, 2026
Response Time: 23 days
SLA Target:    30 days  (Medium)
               ─────────────────
23 ≤ 30  →  ✓ Within SLA — 7 days to spare

Tips to Improve Vulnerability Response Time

Notes

Frequently Asked Questions

What is a vulnerability response time SLA? +
A vulnerability response time SLA (Service Level Agreement) is the maximum number of calendar days your organisation commits to remediating a security finding after discovery. SLA windows are typically set by severity: 1 day for Critical, 7 days for High, 30 days for Medium, and 90 days for Low. These targets appear in security policies, vendor contracts, and compliance frameworks such as ISO 27001 and SOC 2.
How do I calculate mean time to remediate (MTTR)? +
Mean Time to Remediate (MTTR) is the average response time across a set of vulnerabilities: MTTR = Sum of all response times ÷ number of vulnerabilities. For example, remediating 4 CVEs in 2, 5, 7, and 10 days gives an MTTR of 6 days. Use this calculator for individual findings, then average the results across your ticket backlog to get your programme-level MTTR.
What are the standard patch SLA timeframes by severity? +
Industry consensus aligns closely with CVSS score bands: Critical (CVSS 9.0–10.0) = 1 day; High (7.0–8.9) = 7 days; Medium (4.0–6.9) = 30 days; Low (0.1–3.9) = 90 days. Regulated environments such as PCI-DSS and FedRAMP mandate specific windows that may be shorter. CISA's KEV catalog implicitly treats listed CVEs as Critical regardless of base score.
Does the calculator use calendar days or business days? +
This calculator counts calendar days, not business days. Calendar days are the standard for vulnerability SLA reporting because attackers don't observe weekends or holidays. If your policy specifies business days, you'll need to adjust manually — for example, a 5-business-day SLA is roughly 7 calendar days. Most frameworks (NIST, ISO 27001, SOC 2) reference calendar days in their guidance.
What should we do if we cannot meet a Critical CVE's 1-day SLA? +
If a full patch is not feasible within 24 hours, apply a temporary mitigation immediately — network isolation, WAF rule, feature flag disable — and document it as a compensating control. Log the exception with the risk owner's sign-off, set a hard deadline for the permanent fix, and escalate to the CISO if the window extends beyond 72 hours. Many frameworks accept documented compensating controls during a patch cycle.