2026-04-26 –, Track 1
Teams celebrate when their Mean Time to Remediate (MTTR) drops until it suddenly spikes after fixing old vulnerabilities. That looks like failure, but it’s actually progress and exposure went down. MTTR measures how quickly work closes, not the health of what remains open. Mean Open Vulnerability Age (MOVA) fills that gap by showing the average age of open vulnerabilities at a given point in time, revealing true backlog risk.
This talk defines MTTR and MOVA in clear, practical terms and walks through a simple simulation comparing two common fix strategies: newest-first and oldest-first. MOVA brings that missing dimension by translating backlog health into data leaders can act on. Attendees will see why MTTR alone can mislead, how MOVA exposes hidden risk, and how combining both metrics gives security teams and leaders a more accurate picture of progress and exposure.
MTTR tells the story of flow: how quickly issues close. MOVA tells the story of stock: the average age of vulnerabilities that remain open. When a team burns down old backlog, MTTR rises while exposure drops, creating a paradox that makes success look like regression. When leadership understands MOVA alongside MTTR, teams can celebrate genuine progress instead of chasing vanity metrics. Together, these metrics turn vulnerability management data into a clear story of both flow and exposure.
This talk explores how MOVA reveals that paradox, highlighting why teams that tackle aged vulnerabilities may appear slower even as they reduce real risk. Using a reproducible simulation, we compare two common remediation strategies:
- Newest-first: keeps MTTR low but lets old risk persist.
- Oldest-first: raises MTTR but meaningfully reduces exposure.
By visualizing both metrics together, attendees will see that a rising MTTR can actually signal healthy progress when MOVA is falling. The talk explains these dynamics in plain language so security and engineering leaders can share a unified understanding of improvement.
Practical takeaways:
- Define and contrast MTTR and MOVA clearly
- Calculate and communicate MTTR and MOVA clearly to leadership
- Design age-based backlog-triage policies and service level objectives
- Report both metrics side by side without creating vanity dashboards
- Maintain a steady burndown of the riskiest backlog with reproducible data
All examples are vendor-neutral, data-driven, and easy to reproduce.
Caleb Kinney is a cybersecurity leader and Manager of Security Operations at Posit, where he leads security programs and focuses on making security risk measurable and actionable for platforms and open source projects used by millions of data scientists worldwide.
He contributes to Hacker Tracker, serves on the NumFOCUS Security Committee, and volunteers at DEF CON as a Goon. His work centers on turning security metrics into practical systems that reduce exposure and improve how teams prioritize risk.
Find his work at https://derail.net . Outside of security, he runs on Maryland back roads and explores with his wife and two daughters.