Datasheet

Risk Analytics and SLA KPIs

4 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this datasheet

Turn findings, assets, and SLA timers into one read-only intelligence layer of KPIs, trends, and risk rankings, with every aggregate scope-enforced and nothing written back.

The Analytics domain is PMAP read-only intelligence layer. It aggregates findings, assets, SLA timers, taxonomy codes, and team activity into the KPI counts, trend series, and risk rankings that power every dashboard widget and management report. It reads everything and writes nothing, so a report can never corrupt the data it summarizes.

Posture metrics live in many tables: findings carry severity, status, and SLA state, assets carry criticality and exposure, and projects, companies, and teams carry the structure those numbers roll up through. Without one read layer, every dashboard reinvents its own aggregation and the numbers stop agreeing.

Standardized KPI, trend, and risk shapes feed every dashboard widget and report.
Standardized KPI, trend, and risk shapes feed every dashboard widget and report.

The hard problem at enterprise scale is not counting findings. It is producing one trustworthy posture view across many tenants without letting a query forget its scope or a report mutate the source.

At a glance

  • Analytics role: Read-only intelligence layer; aggregates findings, assets, SLA timers, taxonomy, team activity
  • Multi-tenancy: ScopeFilter from auth context on every list and aggregate path; company and project filters are additive
  • Risk score: Severity weights times criticality factor, raised when SLA breached or asset is external
  • SLA analytics: Breach and compliant counts, breach rate, per-severity avg days to close, optional trend and health breakdowns
  • SLA config: Per-severity hour limits at project, company, and global scope; null inherits from the next level up
  • Escalation: Up to three escalation contacts per config, each a user plus a days-after-breach trigger
  • Recurring summary: Recurring, chronic, and breached rollup served from a materialized view at sub-millisecond latency

How it works

One read-only intelligence layer over findings, assets, SLA timers, and taxonomy, scoped on every aggregate and persisting nothing, so KPIs, trends, and risk rankings stay consistent and a report can never mutate its source.

Every analytics endpoint is a synchronous read query. A request resolves its tenant scope, layers optional company and project filters on top, runs the aggregate, and returns a typed response shape. The performance-sensitive recurring rollup is served from a pre-computed materialized view rather than scanned live.

SLA breach numbers are only as good as the deadlines behind them. The SLA Config domain owns those deadlines as a severity to hours mapping, layered project over company over global default. Saving a config recalculates every open deadline in scope, and the analytics layer then measures breaches against the result.

Key capabilities

  • Per-scope thresholds, partial overrides. A config sets hour limits per severity at company or project scope. Any severity left null means inherit from the next level up, so an admin can override only urgent and critical and let the rest cascade. A project override outranks the company override.
  • Upsert with auto-recalculation. A PUT creates or updates the config in one idempotent call, then immediately recomputes sla_deadline for every open finding in scope. The recalculated count returns in the X-Recalculated-Count header, so the response body stays identical to a plain read.
  • Three-level escalation routing. Each config can name up to three escalation contacts, each a user plus a days-after-breach trigger, building a tiered escalation chain at company or project granularity. When a recomputed deadline moves into the future, sla_notified resets so the notification pipeline re-fires.
  • Read-only analytics over the result. The analytics layer never sets a deadline. It reads SLA state and reports ClosedWithinSLA, ClosedBreached, breach rate, and average days to close by severity, with optional breach trend and per-company or per-project health breakdowns activated by query param to avoid over-fetching.

Use cases

  • Brief the board on posture. An executive opens the dashboard and reads a single-call snapshot: total assets, open and urgent and critical findings, SLA breaches, and active projects, with severity and status distributions beside it, every figure scoped to the tenants they govern and identical to the console.
  • Rank assets by real risk. A security manager pulls the asset risk ranking, where each score combines severity weights with the asset criticality factor and is raised when the asset is SLA-breached or externally exposed, then works the top-20 shortlist first because that is where exposure concentrates.
  • Tailor SLA to a contract. A company manager sets urgent to 24 hours and critical to 48 in the company SLA config and leaves the rest null to inherit. The PUT upserts and recalculates every open deadline in scope, returning the affected count in the X-Recalculated-Count header.

One read-only intelligence layer, scope-enforced on every aggregate.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.