The question security leaders should be able to answer at any point: are we getting better or worse? Not compared to a theoretical baseline, not relative to a compliance standard — just compared to ourselves last week.
Most vulnerability management programs can't answer this cleanly. They can report finding counts, remediation counts, and SLA compliance percentages. But they can't answer whether the net effect of last week's activity was positive or negative in terms of actual exposure. You might have closed 40 findings while 80 new ones came in. Are you better off? It depends on which 40 you closed and what business context the new 80 carry.
Posture drift tracking is the metric that answers this. It's a week-over-week score that captures whether your remediation activity is outpacing incoming finding volume when weighted by business risk. Here's how to construct it so it's actually useful rather than a dashboard number nobody believes.
Why Finding Counts Fail as Progress Metrics
The obvious metric is "number of open findings." When it goes down, you're making progress. When it goes up, you're falling behind. Simple, but wrong in two important ways.
First, finding counts are distorted by scan coverage changes. If you add 500 new assets to your Qualys scan scope, you'll get several thousand new findings. Your count goes up dramatically. Is your security posture worse? No — you've gained visibility, not exposure. A raw finding count treats increased scanner coverage as degraded security, which is backwards.
Second, not all findings carry equal risk. Closing 40 low-severity findings on internal tooling while 5 critical findings on customer-facing infrastructure stay open is not progress — it's work that looks like progress in the count metric but doesn't actually reduce business exposure.
A posture score that weights findings by business risk — asset criticality, network reachability, exploit status — captures this distinction. Closing a critical finding on a customer-facing asset moves the score more than closing 10 low findings on dev infrastructure. The score measures risk reduction, not ticket throughput.
Building the Posture Score: The Math
The Vendrsec posture score is a risk-weighted exposure index, normalized to 0-100, where lower is better (lower exposure). The formula at each weekly snapshot:
For each open finding, compute a finding risk weight:
finding_weight = cvss_base_score × asset_criticality_multiplier × reachability_factor × exploit_activity_factor
Where:
- asset_criticality_multiplier: 1.0 for internal tooling, 1.5 for business-critical internal systems, 2.5 for customer-facing, 3.0 for data-store adjacent assets
- reachability_factor: 1.0 for internal-only, 1.8 for internet-accessible
- exploit_activity_factor: 1.0 for no known exploit, 1.5 for public PoC, 2.5 for CISA KEV listed
Posture score = sum of all finding_weights, normalized against a defined maximum (the maximum possible score given your asset inventory, as if every finding were maximum-risk). Multiply by 100 and invert: score 100 = clean, score 0 = fully exposed.
The normalization against your asset inventory maximum is important. It means the score doesn't penalize you for having more assets — larger environments don't automatically score lower. The score measures the fraction of maximum possible exposure that's actually present.
Posture Drift: The Useful Derived Metric
The posture score at a single point in time is less useful than the week-over-week delta. Posture drift = this week's score minus last week's score.
Positive drift = posture improved (exposure reduced). Negative drift = posture degraded. Zero drift = remediation activity and new findings roughly balanced.
The drift metric is what makes the progress question answerable. But there's a subtlety: you should track the sources of drift separately. Each week's drift can be decomposed into:
- Remediation contribution: how much did the score improve from findings closed?
- New findings contribution: how much did the score degrade from new findings arriving?
- Exploit escalation contribution: how much did the score change because existing findings' exploit status changed (e.g., a CVE got added to CISA KEV)?
- Asset coverage contribution: how much did the score change from new assets added to scan scope?
This decomposition tells you where to focus. If remediation contribution is strong but exploit escalation is driving the score down, the answer is different than if new findings from infrastructure growth are outpacing remediation. Same total drift, completely different operational response.
A Concrete Example
Consider a scenario: a 2-person security team managing about 2,200 assets at a B2B SaaS company. Their weekly score moved from 58 to 53 in a single week — apparently excellent progress, a 5-point improvement.
The decomposition told a different story. Remediation contribution: +9 points (they closed 22 high-risk findings). New findings: -3 points. Exploit escalation: -8 points. Net: +5 points positive drift.
The exploit escalation hit came from three CVEs that were in their open backlog — none of which were in the CISA KEV list the previous week. They appeared in KEV on Wednesday after being actively exploited in attacks targeting their vertical. Those three findings, which had been sitting in the backlog as "scheduled for next quarter," immediately became the highest-priority items in the queue because their exploit_activity_factor jumped from 1.0 to 2.5.
Without the drift decomposition, the week looked like progress. With it, the team could see that 8 points of their exposure increase came from sitting on findings that threat actors had just started actively exploiting. The right response was immediate escalation, not the scheduled patch window.
Presenting Posture Drift to the Board
The posture drift score and its decomposition translate directly into board-level reporting without losing signal. A quarterly board summary from a posture drift tracking system:
"Over Q1 2025, our Vendrsec posture score improved from 42 to 61 — a 19-point reduction in risk-weighted exposure. Remediation activity contributed 31 points of improvement. New finding volume and exploit escalation offset that by 12 points. Our largest single-week degradation (week of February 11) was driven by three CVEs in our API gateway stack entering the CISA KEV list — all three were patched within 72 hours, ahead of our 30-day standard SLA."
That narrative is precise, honest, and contains no CVE IDs, CVSS scores, or scanner-specific terminology. It answers all three board questions: trend direction (improving), current concern (addressed promptly), program functioning (yes, with specific evidence).
What Posture Score Doesn't Capture
We're not claiming posture score captures all security risk. It captures vulnerability management risk specifically — known CVEs on scanned assets, weighted by business context. It says nothing about:
- Configuration weaknesses not surfaced as CVEs
- Identity and access risks
- Supply chain and dependency risks outside scanner coverage
- Detection and response capability gaps
A low posture score means your known-vulnerability exposure is under control. It doesn't mean you've solved security. But for the specific domain of vulnerability prioritization and remediation, it's the metric that separates "we're working hard" from "we're making measurable progress."