Curated Catalog · Value Calculator
Your Engineering Team
Software companies: typically 30–40% of headcount. Enterprises: typically 5–15%.
$
US avg loaded cost incl. salary, benefits, overhead · adjust for region and seniority mix
%
14% industry avg · GitLab / Harris Poll 2024 (n=3,266) · all security vulnerability work
Your Security Team
Industry avg: ~0.9 security FTEs per 100 employees · IANS / Artico Search CISO Survey 2024 (n=860+) · adjust for your org size and security maturity
$ / hr
US average for AppSec / security engineer; adjust for region and seniority
¹ Security team burden: FTEs × $95/hr × 2,080 hrs × 20% manual burden = annual cost · 75% of organizations report security teams spend >20% of time on manual remediation tasks · CSA / Dazz State of Security Remediation 2024 (n=2,037) · recovery at 95% = FTEs × $95 × 2,080 × 20% × 95% · team size benchmark: ~0.9 FTEs per 100 employees · IANS / Artico Search 2024 (n=860+)
² Developer drag: developers × annual loaded cost × 14% security time = annual drag · GitLab / Harris Poll Global DevSecOps Report 2024 (n=3,266) · recovery at 66.5% = 70% OSS attribution × 95% CVE reduction · 70% reflects Veracode State of Software Security 2025: 70% of critical security debt originates from third-party code
⁴ Remediation speed: 54.8 days avg MTTR for high/critical application vulnerabilities · Edgescan 2026 Vulnerability Statistics Report (11th edition, 2025 data) · note: Edgescan MTTR measured from detection to validated remediation; ActiveState SLA measured from CVE disclosure to patch delivery — starting points differ · ActiveState SLA: Critical 5 / High 10 / Low 30 business days · Backlog: 37% of enterprise vulnerabilities remain unresolved after 12 months · Edgescan 2026
Annual operational cost figures use population-level benchmarks and prospect-entered inputs. Breach context figures are per-incident references, not annualized costs. Not a substitute for a full risk assessment.
I am a
Your Current Annual Cost
What unmanaged OSS risk costs your organization today.
Developer security vulnerability drag
14% of annual loaded developer cost spent on security vulnerability work
Security team manual remediation burden
75% of security teams spend >20% of time on manual alert & remediation tasks
Total estimated annual operational cost
Value Recovered
Security team analyst capacity returned
FTEs × rate × 2,080 hrs × 20% manual burden × 95% CVE reduction
OSS vulnerability work across engineering org
developers × annual cost × 14% security time × 70% OSS attribution × 95% CVE reduction
Remediation Exposure Window · Critical CVEs
134 days
avg MTTR for CVEs most likely to be exploited (EPSS >70%)
Edgescan 2026
5 days
ActiveState SLA for Critical CVEs
ActiveState Curated Catalog
95%
of OSS CVEs eliminated before they reach your team
vs. same packages from public registry
Ready to reduce your exploitable attack surface by 95%?
Talk to us →