Most security SLAs exist to pass audits. They sit in Confluence with perfect formatting and comprehensive severity definitions that developers completely ignore. Security teams enforce them sporadically. Leadership never sees the metrics that matter.
The problem isn't your severity model. It's that your SLAs aren't connected to how work happens. They don't map to sprint cycles, don't trigger Jira tickets, don't block bad deployments, or get out of the way when they should.
This guide shows you how to design SLAs that developers respect, leadership monitors, and security teams can enforce without becoming the bottleneck.
What Effective Security SLAs Should Achieve
Good SLAs produce five outcomes:
Clear ownership, every vulnerability belongs to a squad, a service owner, or a product lead. No shared responsibility, no ambiguity.
Predictable remediation timelines. Based on actual risk exploitability, exposure, and asset value, not arbitrary calendar math borrowed from other companies.
Automated visibility. Security and engineering leadership see what's aging, what's breached, and where teams are stuck without manual reporting.
Better hygiene without blocking delivery. Critical fixes ship fast through emergency processes. Low-risk findings don't clog sprint planning.
Compliance evidence without friction. Your SLAs prove you manage risk consistently with tracked remediation times and documented exceptions.
The Three Categories of Security SLAs
Development SLAs
Set the baseline before code ships. These are enforced requirements, not aspirational guidelines.
Secure coding standards: OWASP Top 10 controls, input validation patterns, and authentication implementations become non-negotiable. Every team codes to the same baseline.
Dependency and container scanning: Libraries with critical CVEs don't reach production. Base images get updated within defined windows. Teams receive automated notifications when new vulnerabilities appear.
Remediation SLAs
Define how fast vulnerabilities get fixed after detection. These are the most visible SLAs to developers and most frequently measured by leadership.
Severity-based timelines: Critical findings get patched same day or next sprint. High within two sprints. Medium within 30-60 days. Low during maintenance windows.
Contextual adjustments: Internet-facing systems get tighter SLAs. Data-sensitive assets escalate one severity level. Known exploits override everything else.
Tracked across teams: Every squad's remediation performance is visible to engineering leadership. Aging vulnerabilities escalate automatically.
Testing SLAs
Establish how often you actively look for vulnerabilities rather than waiting for them to appear in production.
Frequency by risk tier: Internet-facing assets tested monthly with quarterly manual pentests. Internal critical systems quarterly. Lower-risk tools annually.
Coverage commitments: All authentication flows, payment systems, admin panels, and sensitive data APIs tested systematically.
Retest cycles: Critical fixes validated within 15 days. High within 30 days. Any finding surviving two test cycles escalates to the CISO and the product VP.
Designing SLAs Devs Actually Follow
Use Realistic Timelines
Don't default to 7-30-90-day windows because another company published them. Base timelines on environment, exploitability, and business impact.
Production systems demand tighter SLAs than staging. Customer-facing services get priority over internal tools. Vulnerabilities with known exploits get priority over theoretical issues. Revenue systems can't tolerate the same risk as employee wikis.
Keep SLAs Short and Actionable
One line per severity. No policy documents.
- Critical: Fix within 24 hours or block next deploy
- High: Remediate in the current or next sprint
- Medium: Address within 30 days or backlog with justification
- Low: Fix during maintenance cycles
This simplicity eliminates interpretation debates during sprint planning. Developers see a critical finding and know they're fixing it today.
Tie SLAs to Existing Workflows
Embed SLAs where work already happens.
Jira auto-creates tickets when scanners detect findings. Vulnerabilities appear in the backlog with severity, description, and due date. Developers see security work alongside features and bugs.
GitHub and GitLab issues link vulnerabilities to repositories and assign to code owners. The auth squad gets auth vulnerabilities automatically, no security team routing layer.
Gates are enforced at merge time. Critical findings in the production branches block merges. Medium findings create tickets but allow deploys with acknowledgment.
Sprint planning incorporates security work naturally. Security tickets appear in backlog grooming with clear priorities. Capacity planning includes remediation alongside features.
Make Ownership Unambiguous
Every vulnerability needs an owner, a specific squad, a named service,and a tech lead who can be @mentioned. If the authentication service has a SQL injection, the auth squad owns remediation. If the payment API has an authorization bypass, the payments team fixes it. No shared responsibility.
Service ownership maps determine automatic assignment. Cross-cutting issues have a defined owner. Legacy code gets assigned to whoever most recently modified it.
Remediation SLAs: The Core Framework
Severity-Based Model
Start with a simple matrix:
Contextual Adjustments
Adjust timelines based on factors that change real-world risk:
Internet exposure accelerates all timelines by 50%. Public-facing APIs get tighter SLAs because threat actors actively scan them. A medium finding in your public API becomes high-severity in the remediation timeline.
Data sensitivity escalates severity by one level. Systems touching PII, PHI, payment card data, or authentication credentials can't tolerate the same risk as anonymous telemetry services.
Known exploits override all other factors. When Exploit-DB has working proof-of-concept code, it becomes critical regardless of environment or data sensitivity.
Business-critical systems compress timelines. Revenue-generating services that can't tolerate outages get faster security responses because emergency patching carries lower business risk than extended vulnerability windows.
Automation: The Secret to Enforcing SLAs
Manual SLA tracking fails because it doesn't scale. Automation makes enforcement invisible, consistent, and scalable to hundreds of engineers.
Auto-created issues eliminate triage bottlenecks. When SAST detects a SQL injection, when dependency scanners find a critical CVE, or when pentesters report an authentication bypass, a Jira ticket appears automatically with severity, description, and due date.
Auto-assignment removes routing friction. Service catalogs map components to teams. Vulnerabilities in the authentication service route to the auth squad automatically. No manual triage meetings.
Dashboards provide role-appropriate visibility. Security teams see aging vulnerabilities across the portfolio. Engineering teams see their squad's open issues with SLA status. Executives see trend lines for remediation velocity.
SLA breach notifications prevent silent deadline misses. Slack alerts fire three days before deadlines for critical findings. Email escalations go to tech leads when deadlines pass. Director notifications trigger when teams have multiple breached SLAs.
Integration everywhere. Connect Snyk, Trivy, Burp Suite, Checkmarx, SonarQube, and your SIEM to the same workflow engine that routes findings to Jira and tracks remediation progress.
Measuring SLA Performance
Track metrics that indicate whether your SLAs are driving behavior change:
SLA adherence rate: Percentage of findings remediated within defined timelines, broken down by severity and team. 90%+ adherence for critical findings indicates an effective urgent response.
Mean time to remediate (MTTR): By severity, by team, by asset type. If your critical MTTR is five days but your SLA is 24 hours, either your SLA is wrong or your emergency response isn't working.
Reopened vulnerabilities: How often vulnerabilities get marked closed but reappear in subsequent scans. High reopen rates suggest incomplete fixes or architectural issues.
Aging critical findings: Number of critical vulnerabilities older than SLA threshold. This should be zero or near-zero consistently.
Team heatmaps: Which squads consistently hit SLAs, which struggle, and which systematically miss deadlines. This identifies where to focus support.
Show these metrics monthly to engineering leadership and quarterly to the board.
How to Roll Out SLAs Without Friction
Don't launch company-wide. Start small, prove value, iterate, then expand.
Pick one squad as the pilot: choose a team that ships frequently, has a reasonable security culture, and works on production systems. Ideally, pick a team whose tech lead already values security.
Run a 30-day pilot: implement your SLA framework, automation workflows, and measurement dashboards for just this team. Track whether severity classifications make sense and timelines are realistic.
Refine based on data: If every finding is critical, your severity model is too conservative. If teams consistently miss SLAs by 50%, your timelines don't match organizational reality.
Train leads, not everyone. Engineering managers and tech leads need to understand SLAs deeply. Individual contributors just need clear Jira tickets with obvious deadlines.
Publish a two-page guide. Include your severity matrix with timelines, contextual adjustment factors, escalation paths, and links to dashboards. Not a 40-page policy document.
Then expand to the next squad with lessons learned. Repeat until all product teams are covered.
Common Pitfalls to Avoid
Over-optimistic timelines. If your SLAs assume infinite engineering capacity, teams will ignore them as unrealistic security theater.
Too many exceptions. Every exception creates precedent for future exceptions. Keep exception processes narrow and require management approval.
Lack of executive visibility. If your VP of Engineering never sees SLA metrics, security work competes with features on equal footing and usually loses.
Using SLAs only for audits. If you pull out your SLA policy once a year for ISO 27001 compliance but nobody references it during sprint planning, it's compliance theater.
No retesting cycles. Marking a Jira ticket closed doesn't mean the vulnerability actually got fixed. Mandatory retesting validates that remediation reduced risk.
How AppSecure Helps Organisations Build Effective SLAs
Most companies fail because their SLAs aren't designed around how their teams actually work.
AppSecure builds risk-based severity models tailored to your architecture, threat model, and business context. Not generic CVSS scores or frameworks copied from other companies.
We define SLA timelines aligned with your sprint cadence and engineering bandwidth. Aggressive enough to reduce risk but realistic enough that teams can meet them.
We deploy automated tracking dashboards that show security, engineering, and leadership exactly what's at risk and who owns it in real-time.
We write clear policy documentation that fits on two pages and maps directly to operational workflows. Simple reference material developers can use during sprint planning.
We work with your engineering leads to ensure adoption, not just compliance. SLAs only work if developers respect them.
If your current SLAs exist in a document but not in your operational workflows, AppSecure can fix that.
FAQs
1. How often should SLA definitions be updated?
Every six months. Adjust when your architecture changes significantly, new asset classes appear, or remediation data shows consistent SLA breaches, indicating your timelines don't match engineering capacity.
2. Should all teams follow the same SLA?
Yes, for baseline timelines, creating organizational consistency. Adjust contextually for internet exposure, data sensitivity, and business criticality using documented multipliers. Don't create different SLAs for every team that's unenforceable.
3. How do SLAs support compliance?
Auditors evaluating ISO 27001, SOC 2, and PCI DSS want evidence that you manage security risk consistently. SLAs prove you have documented vulnerability management procedures, track remediation performance, and escalate when commitments are missed.
4. When should findings be escalated to leadership?
Automatically, when SLA deadlines are breached, when the same vulnerability reappears after being marked fixed, or when a team has multiple aging critical findings simultaneously.
5. How do you deal with legacy systems?
Accept that some systems can't meet standard remediation SLAs. Document the risk explicitly, implement compensating controls, set extended SLAs with executive approval reviewed quarterly, and create migration plans that eventually eliminate the technical debt.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
