Vulnerability Remediation SLA Calculator
Severity
7.5
30%
Asset Criticality
SLA Policy (days)
Capacity Planning
Remediation Deadline2026-07-26
Days Remaining30
Risk Score53/100
PriorityP3
Compliance Statuscompliant
Risk Trajectory (Next 90 Days)
SLA Policy Summary
| Severity | SLA (days) |
|---|---|
| critical | 14 |
| high | 30 |
| medium | 60 |
| low | 90 |
Vulnerability Portfolio
Severity
CVSS
EPSS %
Asset Crit
Days
Portfolio Dashboard
Total Vulns1
Overdue0
Compliance100.0%
Avg SLA30d
0Critical
1High
0Medium
0Low
Priority Ranking
| ID | Severity↕ | CVSS↕ | Risk Score↓ | Priority↕ | Days Left↕ |
|---|---|---|---|---|---|
| V1 | HIGH | 7.5 | 53 | P3 | 20 |
Remediation Capacity
Vulns/Day7.5
Days to Clear1
Weeks to Clear0.2
Patching everything at once is impossible, so vulnerability management runs on remediation SLAs tied to severity and risk. This calculator computes the deadline for fixing a vulnerability from its severity-based SLA, tightens it for high-criticality assets, derives a combined risk score from CVSS and EPSS, and reports whether you are compliant, at risk, or already overdue.
Formula
RiskScore = (CVSS/10 × 100 × 0.5 + EPSS × 0.5) × critMultiplier
- CVSS
- Common Vulnerability Scoring System base score, 0-10, normalized to a 0-100 scale
- EPSS
- Exploit Prediction Scoring System probability as a percentage, 0-100
- critMultiplier
- Asset criticality factor: high 1.3, medium 1.0, low 0.7
- RiskScore
- Combined risk, clamped to 0-100; ≥80 = P1, ≥60 = P2, ≥30 = P3, else P4
How it works
- Enter the vulnerability severity, CVSS score (0-10), EPSS exploitation probability (0-100%), the asset criticality, the discovery date, and your SLA policy in days per severity.
- The base SLA for the severity is adjusted by asset criticality — tightened to 70% of the days for high-criticality assets and loosened to 120% for low-criticality ones — and added to the discovery date to produce the remediation deadline.
- A 0-100 risk score blends normalized CVSS and EPSS equally and scales by asset criticality, mapping to a P1-P4 priority, while the days remaining until the deadline determine compliant, at-risk (within 20% of the window), or overdue status.
Worked example
A critical vulnerability with CVSS 9.8 and EPSS 75% on a high-criticality asset, under a default SLA of 14 days for critical findings.
- Risk score: (9.8/10 × 100 × 0.5) + (75 × 0.5) = 49 + 37.5 = 86.5, then × 1.3 (high criticality) = 112.45, clamped to 100.
- Adjusted SLA: 14 days × 0.7 (high-criticality tightening) = 9.8, rounded to 10 days from discovery.
- Map the risk score to priority: 100 ≥ 80, so the vulnerability is P1.
A risk score of 100 and a P1 priority, with a remediation deadline 10 days after discovery instead of the standard 14.
Frequently asked questions
- What is the difference between CVSS and EPSS?
- CVSS measures how severe a vulnerability is if exploited, on a 0-10 scale. EPSS estimates the probability it will actually be exploited in the wild over the next 30 days. Combining both prioritizes flaws that are both dangerous and likely to be attacked.
- How does asset criticality change the deadline?
- Vulnerabilities on high-criticality assets get a tighter deadline — 70% of the standard SLA days — because a compromise there is more damaging. Low-criticality assets get 120% of the days, giving teams more breathing room to focus effort where it matters.
- What do the compliance statuses mean?
- Compliant means you have more than 20% of the SLA window remaining. At-risk means you are within the final 20% and should act now. Overdue means the adjusted deadline has already passed, putting you out of SLA.
- What are typical remediation SLA timeframes?
- A common default policy is 14 days for critical, 30 for high, 60 for medium, and 90 for low severity. You can override these with your own organization's policy, and the calculator applies asset-criticality adjustments on top of whatever values you set.