Why Vulnerability MTTR Alone Misleads

MOVA: Mean Open Vulnerability Age

MTTR shows how fast work closed. MOVA shows how old the backlog still open is today.

The key paradox is simple: MTTR can rise while backlog age falls. When teams finally close older backlog, the age of closed work goes up, so MTTR can look worse even while the remaining backlog gets healthier. This repo contains the talk deck and the reproducible simulation behind it.

Two different signals

MTTR

Work that closed

How old was the work that got closed?
MOVA

Backlog still open

How old is the work still open today?

MTTR reflects flow. MOVA measures backlog age. You need both to see whether recent closures are improving the backlog that remains.

What MOVA reveals

Whether older backlog is actually being reduced
Whether recent closures are reaching the aging tail
Whether a low MTTR is masking a stranded 180+ days open tail

How to use it

Report MTTR and MOVA together, along with open count and a threshold such as 180+ days open. That gives you one view of recent closure behavior and another view of whether the oldest backlog is actually shrinking.