Caleb Kinney
Caleb Kinney is a cybersecurity leader focused on making security risk measurable and actionable.
He is currently Manager of Security Operations at Posit, where he works on security for platforms and open source projects used broadly across the data science ecosystem.
He contributes to Hacker Tracker, serves on the NumFOCUS Security Committee, and volunteers at DEF CON as a Goon. His work centers on turning security metrics into practical systems that reduce exposure and improve how teams prioritize risk.
Find his work at https://derail.net. Outside of security, he runs on Maryland back roads and explores with his wife and two daughters.
Session
Teams celebrate when Mean Time to Remediate (MTTR) drops until it suddenly spikes after fixing older vulnerabilities. That looks like failure, but it often means exposure has gone down. MTTR measures how quickly work closes, not the health of what remains open. Mean Open Vulnerability Age (MOVA) fills that gap by showing the average age of open vulnerabilities at a point in time, revealing true backlog risk.
Through a simple, reproducible simulation comparing newest-first and oldest-first remediation strategies, this talk shows why MTTR alone can mislead, how MOVA exposes hidden risk, and how using both together provides a clearer picture of progress and exposure.