2026-04-26 –, Track 1
Teams celebrate when Mean Time to Remediate (MTTR) drops until it suddenly spikes after fixing older vulnerabilities. That looks like failure, but it often means exposure has gone down. MTTR measures how quickly work closes, not the health of what remains open. Mean Open Vulnerability Age (MOVA) fills that gap by showing the average age of open vulnerabilities at a point in time, revealing true backlog risk.
Through a simple, reproducible simulation comparing newest-first and oldest-first remediation strategies, this talk shows why MTTR alone can mislead, how MOVA exposes hidden risk, and how using both together provides a clearer picture of progress and exposure.
MTTR reflects flow. MOVA reflects backlog age. When teams burn down older backlog, MTTR rises while exposure drops, creating a paradox where success looks like regression.
A simple, reproducible simulation compares two remediation strategies:
- Newest-first: keeps MTTR low while old risk accumulates
- Oldest-first: raises MTTR while reducing real exposure
By visualizing both metrics together, you will see how a rising MTTR can indicate healthy progress when MOVA is falling. The focus is on building a practical, shared understanding that security and engineering leaders can use to reason about improvement.
Practical takeaways:
- Define and contrast MTTR and MOVA clearly
- Calculate and communicate both metrics effectively
- Design age-based backlog triage policies and service level objectives
- Report both metrics side by side without creating vanity dashboards
- Maintain a steady burndown of the highest-risk backlog
All examples are vendor-neutral, data-driven, and easy to reproduce.
Caleb Kinney is a cybersecurity leader focused on making security risk measurable and actionable.
He is currently Manager of Security Operations at Posit, where he works on security for platforms and open source projects used broadly across the data science ecosystem.
He contributes to Hacker Tracker, serves on the NumFOCUS Security Committee, and volunteers at DEF CON as a Goon. His work centers on turning security metrics into practical systems that reduce exposure and improve how teams prioritize risk.
Find his work at https://derail.net. Outside of security, he runs on Maryland back roads and explores with his wife and two daughters.