Caleb Kinney
Caleb Kinney is a cybersecurity leader and Manager of Security Operations at Posit, where he leads security programs and focuses on making security risk measurable and actionable for platforms and open source projects used by millions of data scientists worldwide.
He contributes to Hacker Tracker, serves on the NumFOCUS Security Committee, and volunteers at DEF CON as a Goon. His work centers on turning security metrics into practical systems that reduce exposure and improve how teams prioritize risk.
Find his work at https://derail.net . Outside of security, he runs on Maryland back roads and explores with his wife and two daughters.
Session
Teams celebrate when their Mean Time to Remediate (MTTR) drops until it suddenly spikes after fixing old vulnerabilities. That looks like failure, but it’s actually progress and exposure went down. MTTR measures how quickly work closes, not the health of what remains open. Mean Open Vulnerability Age (MOVA) fills that gap by showing the average age of open vulnerabilities at a given point in time, revealing true backlog risk.
This talk defines MTTR and MOVA in clear, practical terms and walks through a simple simulation comparing two common fix strategies: newest-first and oldest-first. MOVA brings that missing dimension by translating backlog health into data leaders can act on. Attendees will see why MTTR alone can mislead, how MOVA exposes hidden risk, and how combining both metrics gives security teams and leaders a more accurate picture of progress and exposure.