Choosing Your SLO Strategy
Risk-Based and CVSS Severity-Based Options
Overview
By default, Heeler sets Service Level Objectives (SLOs) based on Heeler’s risk-based prioritization, which evaluates vulnerabilities not only on severity but also on exploitability and business impact in your actual production environment. Heeler’s runtime threat modeling engine analyzes how code runs in production to generate business-aware attack paths, focusing your teams on vulnerabilities that are actually exploitable and material to your business.
This default strategy prioritizes effort where it most effectively reduces real-world risk.
However, many organizations operate under security or compliance frameworks (such as SOC 2, ISO 27001, FedRAMP, PCI DSS, or internal security standards) that require remediation timelines tied directly to CVSS severity ratings (Critical, High, Medium, Low). The Common Vulnerability Scoring System (CVSS) is an industry standard method for scoring the technical severity of vulnerabilities on a 0–10 scale. :contentReference[oaicite:0]{index=0}
Two SLO Setting Options
Heeler supports two ways to define SLOs:
1. Risk-Based SLOs (Heeler Priority) — Default
What it is: Risk-based SLOs are calculated using Heeler’s analysis of exploitability and business impact, which factors in contextual signals such as how a vulnerability is reachable and its effect on critical systems.
Why choose this:
Focus remediation on vulnerabilities that pose the greatest real-world risk
Reduce noise from high-severity findings that are unlikely to be exploited
Improve engineering efficiency by prioritizing based on exploitability and business impact
Align security and development around context-aware prioritization rather than purely theoretical severity
Risk-based approaches are widely recognized as effective because they consider multiple elements beyond a raw severity number, such as exploitability, business context, and threat intelligence.
2. CVSS Severity-Based SLOs — Compliance-Driven
What it is: Instead of using Heeler’s risk-based priority, administrators can define SLOs based on CVSS severity categories — Critical, High, Medium, and Low — which map to standard CVSS score ranges (e.g., 9.0–10.0 is Critical). This aligns remediation timelines with a widely adopted industry standard. :contentReference[oaicite:2]{index=2}
Why choose this:
Align with industry standards: CVSS severity is familiar across security, development, and compliance teams
Meet compliance requirements: Many frameworks explicitly reference CVSS severity for SLA tracking
Reduce ambiguity: Severity buckets simplify internal policies and auditor expectations
This option is especially suitable when your organization’s policies or auditors expect remediation timelines tied directly to CVSS severity rather than risk-aware scoring.
How to Select Your SLOs Strategy
Select the
icon from the top navigationSelect Program
In the Service Level Objectives (SLOs) section
Choose the strategy and set remediation timelines (in days):
Heeler Priority
CVSS Severity
Click Save
Once saved, SLOs will be re-calculated for all active findings.
Choosing Between the Two Strategies
Compliance with standards
CVSS Severity
Risk reduction and exploit mitigation
Heeler Risk
Align engineering and compliance teams
CVSS Severity
Focusing on real-world exploitability
Heeler Risk
In practice, many organizations start with risk-based SLOs to focus on real-world impact and switch to CVSS severity when compliance needs demand clear severity buckets and defined remediation SLAs.
Last updated
Was this helpful?