Turn a clean finding lifecycle into KPIs, SLA health, risk rankings, and signed executive reports: how PMAP measures a vulnerability program without ever moving a single finding.
A vulnerability program that cannot be measured cannot be defended, funded, or improved. Yet most teams measure with the wrong instrument: a spreadsheet assembled by hand from scanner exports, stale the moment it is saved and impossible to reconcile across tools. This ebook treats measurement as a first-class part of the platform. It shows how PMAP turns a clean finding lifecycle into KPI snapshots, severity and status distributions, finding trends, SLA health, asset and company and project risk rankings, taxonomy metrics, and recurring summaries, all served from one read-only intelligence layer that writes nothing and stays scoped to your tenant. From there it follows those numbers up the stack into configurable dashboards, into side-by-side comparison, and finally into branded, integrity-signed, shareable reports. The thesis is simple: when the lifecycle is honest, the metrics are honest, and a program can finally prove what it is worth.
What you will learn
- Why analytics is a read-only layer that depends on a clean lifecycle for every number to be trustworthy.
- How the dashboard KPI snapshot, severity and status distributions, and finding trends form the daily posture check.
- How SLA health analytics turn a deadline into a breach rate, an avg days-to-close, and a per-company and per-project breakdown.
- How the asset risk score formula combines severity, criticality, SLA breach, and exposure into one ranked number.
- How taxonomy distribution, MTTR, and trend metrics point a program at systemic root causes instead of single findings.
- How configurable dashboards, six comparison modes, and six report types carry the numbers to every audience.
Inside this ebook
- Chapter 1. Measurement Is a Layer, Not a Spreadsheet. Most teams measure vulnerability work by exporting scanner results into a spreadsheet. PMAP measures it from a read-only intelligence layer that sits on top of the live lifecycle and writes nothing. The difference decides whether the numbers can be trusted.
- Chapter 2. The Numbers That Run the Morning. Before strategy, before reporting, a program needs a daily posture check. PMAP delivers it as a single-call KPI snapshot, two distribution breakdowns, and a trend line, all scoped, all current, all one query each.
- Chapter 3. Holding the Program to a Clock. Severity says how much a finding matters. SLA says how long it may matter before someone acts. SLA analytics turn that promise into a breach rate, an average days-to-close, and a health breakdown that names exactly who is behind.
- Chapter 4. Ranking Risk, Not Counting It. A count of open findings tells you how much work exists. A risk ranking tells you where to start. PMAP computes one risk score per asset from severity, criticality, SLA breach, and internet exposure, then rolls it up to companies and projects.
- Chapter 5. Measuring Causes and Teams. Counting findings tells you the symptom. Taxonomy metrics tell you the disease. Layered on top of the lifecycle’s canonical codes, taxonomy analytics turn a backlog into a map of root causes, and team metrics turn it into a map of capacity.
- Chapter 6. Carrying the Numbers to People. Metrics that live only in an API serve no one. PMAP carries them to three audiences through configurable dashboards, six comparison modes, and six report types, each reading from the one analytics layer underneath.
Analytics writes nothing. It reads the same findings the lifecycle manages, so the dashboard and the queue can never disagree about what is open, what is breached, or what is closed.
PMAP analytics, by design
At a glance
- Series: PMAP Ebook
- Discipline: Security Analytics
- Audience: CISO, VM lead, compliance officer
- Reading time: About 45 minutes
- Platform: PMAP by Privia Security
- Applies to: PMAP v2026.06
