Learn all about it
Learn all about SLA and SLA Per Business Group
What is the purpose of the SLA in the Vulcan Platform?
The SLA feature in the Vulcan Platform lets you define the number of days for a Critical/High/Medium/Low vulnerability to be considered as "Breaching". This means that starting from the day a vulnerability is discovered, the SLA of that vulnerability starts a countdown. For example, if you define 6 days SLA for Critical severity vulnerabilities, it means that from the day a Critical vulnerability is found, the expected SLA for the fix is 6 days max. When passing the 6th day, the Vulnerability SLA changes its status to "Breaching" - Which should tell you that you have a Critical Vulnerability that hasn't been fixed for more than 6 days (and we don't want that - do we?).
To learn more about how risks are defined and risk calculation, see:
SLA per Business Group - Why do you need it?
The SLA per Business Group feature lets define different SLAs not only for severity level (High, Medium, etc.,), but also per a Business Group.
Once you define your Business Groups, you can easily assign different SLAs for the different Business Groups, or simply assign several Business Groups to the same SLA.
This capability is extremely useful in the following example cases:
Define SLAs for the different development environments. For example, a strict SLA for production environments vs. a more lenient SLA for your non-production environments.
Define SLAs for the different business units in the organization. For example, Front-End and DevOps.
Define SLA to meet the security regulation of an asset. For example, HIPAA or PCI assets vs. no-regulation required assets.
Define SLA per a Security Scanner (Connector). For example, an SLA for all the vulnerabilities identified by Acunetix 360.
In other words, you can define an SLA for any kind of division that has a defined Business Group.
UI Changes and improved capabilities - What to expect?
The new feature introduces the following two main updates:
New SLA Policy view
To access the new SLA Policy:
Go to Settings > SLA
The Global SLA Policy (default)
So if you see this view for the first time, and you wonder what happened to the previous SLA configuration, here is what happened:
Previously, you had the following SLA configuration which allowed you to set SLA in days per severity level only:
In the new SLA view, the first line is the Global SLA Policy (the same one you had). This means that your current SLA configurations haven't changed. The starting point of this feature is having all Business Groups assigned to the Default Global SLA Policy. Later on, once you create your SLA Policies, you'll get to assign business groups to your own SLA policies. A Business Group that is assigned to an SLA policy of your own is automatically removed from the Global SLA Policy.
The Global SLA Policy is a fixed policy that cannot be removed or renamed. The only thing you can change about it is the SLA days.
Note: You can always return the SLA to default by clicking the "Return to default" button.
New SLA Policy capabilities - Managing SLA Per Business Group
Assign/unassign an SLA to a Business Group
Create a New SLA Policy
To create a new SLA policy:
Go to Settings > SLA tab > Create New SLA Policy button
Fill in the required details:
SLA Policy name
Time frame in days for each severity level
Click the dropdown to assign Business Groups to the policy
Note: For the changes to take effect it can take several minutes up to several hours depending on the size of the environment. The larger the environment, the longer it takes.
Note: Each Business Group can be assigned only to ONE SLA Policy. If you see a grayed-out business group, it means that this business group is assigned to a different SLA Policy. To re-assign the Business Group, you need to unassign it first.
How it works
To explain the importance of the SLA policies order, let's take the following scenario:
Imagine you have an asset that belongs to two different Business Groups, BG Finance, and BG Marketing. BG Finance is associated with the SLA Policy "Acunetix 360", while BG Marketing is associated with the SLA policy "Production".
Now you ask, what SLA does this asset have?
It depends on the SLA Policies order.
The policy that is placed higher on the list, is the policy that determines the SLA for the associated asset. If we have vulnerabilities on an asset that belongs to two different business groups, each with a different assigned SLA policy, the policy on top of the list is the one that determines the SLA of the vulnerabilities. In this case, if the policy "Acunetix 360" is placed above "Production", the "Acunetix 360" SLA policy takes precedence over "Production".
Change the precedence/priority of an SLA
Go Settings > SLA
Change the precedence of one SLA over the by using the Up and Down arrows:
Assign an SLA Policy to a Business Group
There are two ways to assign an SLA Policy to a Business Group
This is where you can assign an SLA Policy to Business Groups in bulk.
Assign/unassign a Business Group to an SLA through the main SLA Management page
Go to Settings > SLA tab
Click the pen symbol to edit an existing SLA policy
Assign a Business Group to the SLA Policy
Assign/Unassign a Business Group to an SLA Policy through the Business Group page
Go to Assets > Business Groups & Tags
Select a Business Group
Assign/Unassign the Business Group to an SLA Policy
Edit an SLA Policy
To edit an SLA policy:
Go Settings > SLA tab
Click the respective Edit pen symbol to edit
Make your changes
Delete an SLA Policy
To delete an SLA policy:
Go Settings > SLA tab
Click the respective Trash symbol to delete
Read the confirmation message to make sure you are aware of any relevant impact
Click Delete confirm
What if I have an asset that isn't associated with a specific Business Group?
If you have vulnerabilities on an asset that isn't associated with a business group, then those vulnerabilities automatically get the default SLA policy ("Global SLA Policy").
What if I have a Business Group that isn't associated with an SLA Policy?
If you have a business group that isn't associated with a specific SLA Policy, then it automatically gets the default SLA policy ("Global SLA Policy").
How do I check the SLA Policy of an asset?
To check what SLA Policy an asset is assigned to:
Go to Assets
Click on an asset from the list
Go to the Details tab
Review the SLA Policy assigned (if available)
What happens if I insert the number 0 for an SLA?
The number 0 means there is no SLA for this level of Severity. Meaning, it turns the SLA tracking off.
Can I assign a Business Group to more than one SLA?
No. Each Business Group can be assigned only to ONE SLA Policy.
How long does it take for an SLA change to take effect?
It can take several minutes up to several hours for the SLA change to take effect on all vulnerability instances and relevant charts. We recommend you allow up to 24 hours for the change to be completely implemented.
If after 24 hours the change isn't in effect, reach out to your customer success manager or to customer support.