In VR: When would you use SLAs rather than Remediation Targets

LeslieC · ‎03-14-2022

Hello,

We have the API integration with Rapid 7's InsightVM and are ready to set timelines on vulnerability remediation. We have 4-5 tiers for remediation timelines and I'm trying to determine if we should use SLAs or Remediation Targets. It seems like Remediation Targets are easier to set up, but we can get more granular with SLAs. Also, we already use Vulnerability Groups/Remediation Tasks to assign these to CI Support group. This is who we'd want the notifications to go to, but I don't see this option for Remediation Targets.

Does anyone have any best practices or use cases for either SLAs or Remediation Tasks?

Thanks,

Leslie

Chris McDevitt · ‎03-14-2022

Hi,

There is a very small use case in VR to use an SLA. You can use an SLA on Remediation Tasks that represent an extreme risk to the organization. In reality, very few organizations use SLAs for vulnerabilities. Most organizations stick to RTR. RTR are lightweight and work on the Vulnerable Item table, whereas SLA's do not. (SLA requires the target table to be derived from the Task table.).

As for notifications, check out the Notification module and search for "Remediation target rule". You should craft your notification for RTR here. The Notification tab you see in the RTR is if you wish to notify the Vulnerability Response Managers. (Confusing I know...)

I would recommend rolling out VR with RTR and in the future, IF you find an edge case for SLA, THEN consider implementing an SLA.

You should find RTR to be enough.

View solution in original post

Eliz Skogquist · ‎07-31-2025

The solution works the same for Remediation Targets, 3 years later.

Chris McDevitt · ‎07-31-2025

An important point to consider is that SLAs usually have a human component behind them. There is an "issue" that a human is waiting to be solved. When I think of Vulnerabilities, there is not a human behind the scenes waiting for this to be addressed so they can get on with whatever they are doing before the issue comes up. The second interesting thing is that humans are desensitized to urgency if they are overrun with stuff like SLAs. SLAs create a lot of unnecessary noise unless they are reserved for very select critical events.
If you think about it, there is zero difference between an RTD and an SLA if leaders don't take action. At the scale of VR, leaders must rely on RTD by reviewing their dashboards and determining how things are going. I think that MBWA is a very, very, very important job for leaders. I see many organizations try to have SN "manage" their employees' behavior through complex workflows, SLAs, and notifications.
Reserve the SLA for mission-critical events that involve humans.
Has my guidance changed on RTDs vs. SLAs? Nope. If anything, it is now leaning more towards RTD and having leaders review their dashboards and understand what is happening on the floor of their organizations.