SLA & Compliance Tracking

Every issue gets a clock that starts the moment it's first detected and stops the moment it's marked fixed (and verified on the next scan). SLA compliance is calculated as the percentage of issues resolved inside their severity-based window. You can see adherence live by severity, by team, or by asset group, and the history is preserved so you can show trends over weeks, quarters, and audit cycles.

Defaults are Critical in 7 days, High in 30 days, Medium in 60 days, and Low in 120 days — in line with common SOC 2 and ISO 27001 expectations. Every window is customizable per workspace. Teams under stricter frameworks (PCI DSS, HIPAA) typically tighten Critical and High; teams with long change windows loosen Medium and Low. The clock always follows the configuration in effect when the issue was opened.

Breached issues are flagged in the dashboard with days-past-deadline, surfaced in a dedicated overdue queue, and excluded from your compliant count. Nothing is silently closed. Breaches stay visible until the issue is either remediated or explicitly risk-accepted with a documented reason, which is recorded in the audit log and shows up in the compliance report alongside the original SLA miss.

Yes. FortWatch sends reminders as deadlines approach — typically a warning when an issue enters the last quarter of its window, an at-risk alert a few days out, and an escalation notification the moment it goes overdue. Reminders go to the assignee, their manager, and any configured channel (email, Slack, webhook) so the right people see the clock before it becomes a breach.

Yes. FortWatch generates one-click PDF reports covering SLA adherence by severity, MTTR, open and fixed issue counts, overdue items with justifications, and a full remediation timeline. Everything is timestamped and tied to the audit log, so SOC 2, ISO 27001, and client security questionnaires can be answered with evidence rather than screenshots. CSV export is available for custom reporting.

Every window is editable per severity, per workspace. You can also set different SLAs for different asset groups — for example, tighter windows on production infrastructure than on staging — and schedule changes to take effect on a specific date so existing issues aren't retroactively breached. All changes are recorded in the audit log.

When a critical issue crosses its deadline, FortWatch automatically escalates: the assignee is notified, their workspace admin is copied, and the issue is pinned to the overdue queue. Escalation routes are configurable, so you can send overdue criticals to a security-leadership Slack channel, an on-call rotation, or a ticketing webhook. The escalation event itself is logged for auditor review.

Frameworks like SOC 2, ISO 27001, PCI DSS, and HIPAA don't just ask whether you find vulnerabilities — they ask whether you fix them on a defined timeline. An auditor's first question is usually 'what's your remediation SLA, and can you prove you meet it?' FortWatch turns that into a single report: the policy, the performance against it, and the exceptions. Without that, compliance becomes a spreadsheet exercise; with it, the evidence is already in place.