Overview
SLA (Service Level Agreement) Settings allow you to define time-based targets for resolving security vulnerabilities based on their severity. These settings help your team prioritize work and ensure critical issues are addressed promptly.What is SLA by Severity?
SLA by Severity establish deadlines for vulnerability remediation:- Define maximum resolution times for each severity level
- Track compliance with organizational security policies
- Identify overdue vulnerabilities requiring immediate attention
- Measure team performance against security standards
Accessing SLA by Severity
1
Navigate to Settings
Click on Settings in the main navigation menu.
2
Select SLA
Choose SLA from the settings menu.
3
Configure
View and modify SLA policies for different severity levels.
Default SLA Values
Backline comes with recommended default SLA by Severity:Critical
3 days - Highest priority requiring immediate action
High
14 days - Significant risk requiring prompt resolution
Medium
30 days - Moderate risk to be addressed within a month
Low
90 days - Lower priority issues to be resolved within a quarter
These defaults align with industry best practices but can be customized to match your organization’s security policies.
Configuring SLA Policies
Editing SLA Values
1
Review Current Settings
The SLA page displays current deadline values for each severity level.
2
Modify Values
Click on the input field for any severity level and enter a new number of days (0-999).
3
Review Changes
The interface shows which values have been modified.
4
Save
Click Save to apply your new SLA policies.
How SLAs Work
SLA Tracking
Once configured, Backline:- Starts the SLA clock when a vulnerability is detected
- Displays time remaining or overdue status for each vulnerability
- Highlights SLA violations on the Dashboard
- Includes SLA status in the Vulnerabilities and Remediations pages
Using SLA Data
Dashboard Monitoring
The Dashboard shows:- Total SLA violations across all severities
- Trend of violations over time
- Percentage of vulnerabilities resolved within SLA
Filtering by SLA
Use SLA filters to:- View all overdue vulnerabilities
- Find issues approaching their deadline
- Prioritize work based on time remaining
Considerations When Setting SLAs
Regulatory Compliance
Regulatory Compliance
Ensure your SLA settings meet industry regulations and compliance requirements:
- PCI DSS often requires critical vulnerabilities to be addressed within 30 days
- HIPAA and other healthcare regulations may have stricter requirements
- Financial services may need faster response times
Team Capacity
Team Capacity
Set realistic SLAs based on your team’s capacity:
- Consider your team size and expertise
- Account for testing and deployment time
- Factor in existing workload and priorities
- Allow buffer time for complex remediations
Risk Tolerance
Risk Tolerance
Align SLAs with your organization’s risk appetite:
- More risk-averse organizations may need tighter SLAs
- Consider the nature of your business and data sensitivity
- Balance security needs with operational practicality
Resource Availability
Resource Availability
Consider practical constraints:
- Availability of development resources
- Testing and QA requirements
- Deployment windows and schedules
- Dependencies on third-party vendors
Example SLA Configurations
Highly Regulated Environment
- Critical: 1 day
- High: 7 days
- Medium: 14 days
- Low: 30 days
Standard Corporate Environment
- Critical: 3 days
- High: 14 days
- Medium: 30 days
- Low: 90 days
Startup/Aggressive Timeline
- Critical: 2 days
- High: 7 days
- Medium: 21 days
- Low: 60 days
Conservative Approach
- Critical: 7 days
- High: 30 days
- Medium: 60 days
- Low: 180 days