Skip to Content
logo

Docs

  • Home
  • Quick start
      • Glossary
      • CVSSF metric
      • Tutorial videos
      • Platform demo
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • Plans and free trial
      • What is SAST?
      • What is DAST?
      • Billing
      • Main website
      • What is SCA?
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Groups section
        • Group configuration
        • Create and delete groups
        • Create another organization
        • Portfolios
        • ToE and SBOM
        • Register payment method
        • Members
        • Understand roles
        • Group authors
        • Organization authors
        • Repositories
        • Import them with OAuth
        • Repositories out of scope
        • Credentials
        • Environments
        • Resolve events
        • Vulnerabilities section
        • Examine evidence
        • Supply chain analysis
        • Reachability analysis
        • Vulnerability signature
        • CVSS score adjustment
        • Correlate threat models
        • Assign treatments
        • Assigned to you
        • Verify with reattacks
        • False positive requests
      • Help options
        • AI Agent
        • Live chat
        • Email
        • Comments
        • Talk to a Pentester
        • Tutorial videos or demo
        • Vulnerability reporting
        • Standard compliance
        • ZTNA logs
        • Recent downloads
        • Common analytics
        • Organization analytics
        • Group analytics
        • Portfolio analytics
        • Chart options
        • CI Gate configuration
        • CI Gate executions
        • Security gates
        • Vulnerability acceptance
        • Prioritization attributes
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
    • Fix SCA vulnerabilities
      • Javascript
      • Python
      • Kotlin
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Bug-tracking systems
      • Tools and integrations
      • Install
      • Setup
      • Issue creation
      • Automatic issue creation
      • Link vulnerabilities
      • Vulnerability details
      • Request reattacks
      • Help options
    • Azure DevOps
    • GitLab
    • VS Code
      • Functions
      • Troubleshooting
      • Install the IntelliJ IDEA plugin
      • Identify and fix vulnerabilities from IntelliJ
      • Install the Cursor extension
      • Identify and address vulnerabilities from Cursor
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
    • Peer Reviewer Assistant
      • For GitLab
      • For Azure DevOps
      • Troubleshooting
      • File exclusion
    • API
      • Learn the basics
    • Webhooks
  • Stack
      • Bash
      • Python
      • Rust
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • Subprocessor OpenAI
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua Security
    • Armorcode
    • Armosec
    • Arnica
    • Astra
    • Backslash
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyscope
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • Ghost Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Mobb
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Opengrep
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • RunZero
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype Lifecycle
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • Theori
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • YesWeHack
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
      • Glossary
      • CVSSF metric
      • Tutorial videos
      • Platform demo
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • Plans and free trial
      • What is SAST?
      • What is DAST?
      • Billing
      • Main website
      • What is SCA?
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Sign-up and login
        • Interface and sections
        • Groups section
        • Group configuration
        • Create and delete groups
        • Create another organization
        • Portfolios
        • ToE and SBOM
        • Register payment method
        • Members
        • Understand roles
        • Group authors
        • Organization authors
        • Repositories
        • Import them with OAuth
        • Repositories out of scope
        • Credentials
        • Environments
        • Resolve events
        • Vulnerabilities section
        • Examine evidence
        • Supply chain analysis
        • Reachability analysis
        • Vulnerability signature
        • CVSS score adjustment
        • Correlate threat models
        • Assign treatments
        • Assigned to you
        • Verify with reattacks
        • False positive requests
      • Help options
        • AI Agent
        • Live chat
        • Email
        • Comments
        • Talk to a Pentester
        • Tutorial videos or demo
        • Vulnerability reporting
        • Standard compliance
        • ZTNA logs
        • Recent downloads
        • Common analytics
        • Organization analytics
        • Group analytics
        • Portfolio analytics
        • Chart options
        • CI Gate configuration
        • CI Gate executions
        • Security gates
        • Vulnerability acceptance
        • Prioritization attributes
        • Explore the user menu
        • Enable and disable notifications
        • Subscribe to News
        • Leave a group
        • Fluid Attacks' scanners
        • OWASP Benchmark results
        • Your feedback
      • Use the scanners
        • Local run
        • CI/CD integration
        • Understanding outputs
        • Findings exclusion
      • Use a configuration file
        • SAST scanner
        • SCA scanner
        • DAST scanner
        • APK scanner
      • Automatic remediation
      • Custom remediation guides
    • Fix SCA vulnerabilities
      • Javascript
      • Python
      • Kotlin
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
    • Service-level agreement
      • Availability SLA
      • Response SLA
      • Accuracy SLA
      • False negatives
      • False positives
      • Scope
    • Support information
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
  • Integrations
      • Bug-tracking systems
      • Tools and integrations
      • Install
      • Setup
      • Issue creation
      • Automatic issue creation
      • Link vulnerabilities
      • Vulnerability details
      • Request reattacks
      • Help options
    • Azure DevOps
    • GitLab
    • VS Code
      • Functions
      • Troubleshooting
      • Install the IntelliJ IDEA plugin
      • Identify and fix vulnerabilities from IntelliJ
      • Install the Cursor extension
      • Identify and address vulnerabilities from Cursor
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
    • Peer Reviewer Assistant
      • For GitLab
      • For Azure DevOps
      • Troubleshooting
      • File exclusion
    • API
      • Learn the basics
    • Webhooks
  • Stack
      • Bash
      • Python
      • Rust
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • Subprocessor OpenAI
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua Security
    • Armorcode
    • Armosec
    • Arnica
    • Astra
    • Backslash
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyscope
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • Ghost Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Mobb
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Opengrep
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • RunZero
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype Lifecycle
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • Theori
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • YesWeHack
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • Description
  • Criteria
  • Details
  • Indicator calculation
Find and fixService-level agreementResponse SLA

Response SLA

Last updated: Mar 16, 2026

Description

At least 90% of reattack  requests, comments , events and incidents will receive a first response within a median time of less than 16 office hours.

Criteria

The following conditions must be met for this service-level agreement (SLA) indicator to apply:

  • Your group must have the Advanced plan .
  • Both the source code and its related environment  must be accessible.
  • Remote access without human intervention must be enabled (e.g., no CAPTCHA, OTP).
  • Over 500 reattacks, comments, or incidents have been requested, posted, or reported, respectively.

Details

In addition to the general measurement aspects , the following is taken into account to measure this SLA indicator:

  • Percentages are determined using percentiles.
  • Office hours correspond to twelve-hour business days, specifically 7 a.m. to 7 p.m. UTC-5.
  • Only reattacks on vulnerabilities reported as closed are included.

Indicator calculation

Response is calculated as follows:

  1. For each individual vulnerability, compute the response time for the last reattack that resulted in the vulnerability being effectively closed (i.e., the vulnerability status changed from Vulnerable to Safe). If the vulnerability was closed without a previous reattack request, consider this a reattack with a response time of 0. Vulnerabilities with the following closing reasons must be excluded from the calculation: Root moved to another group, root or environment deactivated, and exclusion.
  2. Compute the response times for incidents reported to help@fluidattacks.com.
  3. Compute the response time for each comment on a vulnerability .
  4. Compute the response time for each comment on an event.
  5. Calculate the response time for each verification request on an event:
    • Time is measured from the moment the verification is requested to the moment it is responded to (either verified as solved or unsolved).
    • If the closure was proactive by Fluid Attacks (i.e., no verification request was made), assign a response time of 0.
  6. Merge the response times calculated in steps 1, 2, 3, 4, and 5 into a single dataset.
  7. Exclude the top decile (top 10%) of response times and compute the median for the remaining values.

Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .

Availability SLAAccuracy SLA
Fluid Attacks 2026. All rights reserved.