Remediation Half‑Life

MTTR looks like a clean operational metric, but in exposure management it often produces a false sense of control. Vulnerability remediation is not a normal distribution with a stable average. It is a long-tailed process where a small number of stubborn findings can stay open for months, and where many easy fixes close quickly. A single “mean” compresses that complexity into one number that can swing based on what gets closed first, how you define “start time,” and whether you calculate it only on closed items. In practice, MTTR can improve even when true exposure does not, simply by prioritizing quick wins and leaving the hard, high-risk issues unresolved.

Remediation half-life is the metric a CISO can actually govern because it measures the system, not the anecdotes. Half-life treats your open vulnerabilities as a population and asks one question: how long does it take for half of what is open today to be remediated? 

That approach captures the long tail, stays meaningful even when some issues remain open indefinitely, and enables real accountability. If you change prioritization policy, set enforceable SLAs, increase budget, or split responsibilities between finding and fixing, the half-life curve should shift. If it does not, the program has not changed, no matter what MTTR says.  So what's a good remediation half life? Let’s dive into the data:

Assume an organization observes 100 open vulnerabilities today (day zero) and manages to fix 10 of them on the same day, leaving 90 to live another day. The survival rate on day zero would be 90% with a 10% remediation rate. As time passes and vulnerabilities continue to be fixed, that proportion will continue to change. 

Tracking this change across all of the vulnerabilities across all of the firms (over 500) in the prioritization to prediction report (volume 2) over time produced a curve like the one shown above. After analyzing over 3 billion vulnerability findings, we saw that the overall half-life of a vulnerability is 159 days. Beyond that, there’s clearly a long tail challenge for remediation programs that results in many vulnerabilities remaining open beyond one year. Across all organizations the overall vulnerability half-life was around 158.6 days, with a mean time to remediation around 182.8 days. Where this gets really interesting is when we look at individual firm’s survival curves, and we can see the vast variability between them:

Takeaway

The survival curve shows remediation is a long-tailed system, not a ticket queue. Most enterprises need roughly five months just to cut today’s open exposure in half, and a meaningful portion of findings linger far longer.

This is why half-life is the metric to govern. Backlog counts and MTTR can improve without reducing meaningful exposure. If half-life is not improving, your program is not improving. The levers that move the curve are executive-owned: resourcing, organizational design (separating finding from fixing), enforceable SLAs, and data-driven thresholds.

For 2026, one curve is not enough. CISOs should segment half-life for exploited, high risk (however you define that given your risk tolerance and capacity), and by asset class (endpoints, network, cloud control plane). 

Next steps

Empirical Security can benchmark your remediation half-life using real exploitation and exposure data, with and the right segments. The outcome is a governance-grade view of whether your remediation system is accelerating and where to apply capacity and policy to shift the curve. Reach out and your data science team can build your individual survival curve.