Patch Management Coverage Calculator
Evaluate your organization's patch management effectiveness by calculating coverage rate, mean time to patch (MTTP), and an overall risk exposure score.
Formulas Used
1. Patch Coverage Rate (PCR):
PCR = (Patched Assets ÷ Total Assets) × 100
2. Vulnerability Remediation Rate (VRR):
VRR = (Remediated Critical Vulnerabilities ÷ Total Critical Vulnerabilities) × 100
3. Mean Time to Patch (MTTP):
MTTP = Sum of Days to Remediate Each Vulnerability ÷ Number of Remediated Vulnerabilities
4. Policy Compliance Rate (CR):
CR = ((Total Assets − Overdue Assets) ÷ Total Assets) × 100
5. Risk Exposure Score (RES):
RES = 100 − (0.40 × PCR + 0.35 × VRR + 0.25 × CR)
Weighted composite: Coverage 40%, Vulnerability Remediation 35%, Compliance 25%. Score of 0 = no risk; 100 = maximum risk.
Assumptions & References
- A "patched asset" is one where all applicable patches have been applied within the defined policy window.
- MTTP is calculated as the arithmetic mean across all remediated vulnerabilities in the measurement period.
- The Risk Exposure Score (RES) uses a weighted composite model; weights reflect industry prioritization of asset coverage and critical vulnerability remediation.
- NIST SP 800-40 Rev. 4 recommends critical patches be applied within 30 days; high-severity within 60 days.
- CIS Control 7 (Continuous Vulnerability Management) recommends ≥95% patch coverage as a benchmark for mature programs.
- CISA guidance recommends tracking MTTP as a key performance indicator for vulnerability management programs.
- A PCR ≥ 95% is considered "Excellent"; 85–94% "Good"; 70–84% "Fair"; below 70% "Poor" per common industry benchmarks.
- Overdue assets are those that have not been patched within the organization's defined policy window (e.g., 30 days for critical patches).