Pillar deep dive

SLA Tracking for SOC 2 Vulnerability Closure: The 7/30/90 Day Standard

The industry-standard 7/30/90 day SLA model for vulnerability remediation. Implementation, exception handling, and audit-defensible evidence.

By Hemant Attri, Founder, Attri Edge Updated July 11, 2026 2 min read

Auditors expect specific SLAs for vulnerability closure. Implementing the 7/30/90 day standard correctly is more than writing it in a policy — it’s a tracked, exception-handled, evidenced operation. Here’s how we run it.

Origin of the 7/30/90 standard

The model — Critical within 7 days, High within 30, Medium within 90 — became the de facto baseline because it maps cleanly to severity and gives engineering realistic windows. It’s the standard auditors recognize and buyers expect.

Critical / High / Medium / Low classification

Classify by exploitability and impact, typically anchored to CVSS plus context (is it internet-facing? does it touch customer data?). Critical: active or trivial exploit on exposed, sensitive systems. Low: theoretical or internal-only. Context can raise or lower the raw CVSS rating — document the rationale.

SLA tracking architecture

The SLA clock lives in the ticket. On creation, set a due date by priority; surface breaches on a dashboard; escalate automatically as the deadline approaches. The end-to-end workflow this plugs into is in the vulnerability remediation pillar.

Exception handling

Some findings can’t be fixed in window — a vendor patch isn’t available, or a fix needs a major release. Handle these with a documented exception: compensating control, risk acceptance signed by an owner, and a revised date. This is the difference between a defensible miss and an audit finding.

Reporting and board updates

Report monthly: findings by severity, closure rate within SLA, open exceptions, and trend. Boards want the narrative — are we improving, where’s the risk concentrated — not just the raw numbers, which ties into the board-reporting gap in the compliance automation gap.

Auditor evidence expectations

For sampled findings, produce detection time, owner, fix, rescan, and closure date — proving the SLA was met or the exception was handled. The connected tooling that produces this automatically is in the Tenable + Jira + Vanta workflow.

Where Attri Edge fits

Running the SLA cadence — classification, tracking, exceptions, monthly reporting — is part of the Active Retainer. The diagnostic shows whether your current process would survive an auditor’s sampling.

Related reading:

Frequently asked questions

Is 7/30/90 universal or industry-specific?
It's the common baseline (Critical 7 / High 30 / Medium 90 days), but regulated and high-risk environments tighten it. Pick a standard, justify it in policy, and meet it consistently — auditors care more about adherence than the exact numbers.
What if we can't fix a critical in 7 days?
Log a documented exception with a compensating control, a risk acceptance signed by an appropriate owner, and a revised target date. A documented, owned exception is acceptable; a silently blown SLA is an audit finding.
How do auditors verify SLA compliance?
They sample findings across the period and check detection-to-closure time against your stated SLA, plus the exception records for misses. They're testing whether the control operated, not whether the policy exists.
What tools track SLAs natively?
Ticketing systems (Jira, Linear) with due-date automation by priority, surfaced in a dashboard. GRC platforms show findings but rarely enforce SLAs; the SLA clock usually lives in the ticketing layer.