# Role-Based KPI Patterns for Product Security > **Intro:** The same KPI can drive the wrong behavior if it is assigned to the wrong level. This page maps realistic KPI patterns to the way Product Security teams are usually structured. > > **What this page includes** > > * KPI focus by role > * good and bad examples > * cautions against vanity metrics > * practical target ideas ## Guiding principle Individual contributors should mostly own **execution metrics**.\ Leads and managers should mostly own **flow and control quality**.\ Directors should mostly own **risk reduction at scale** and **business trust**. ## Engineer ### Useful KPIs * percent of assigned critical/high findings remediated within SLA * percent of code changes that pass security checks on first try * number of high-confidence findings prevented in new code * percent of services using approved libraries, base images, and templates ### Avoid * raw finding count closed * total scanner output reviewed without quality weighting ## Lead ### Useful KPIs * team-level remediation velocity * review turnaround time for design and threat modeling * adoption of secure defaults across the team’s services * exception count older than agreed review window ### Avoid * “zero findings” targets that encourage suppression * pure ticket throughput without severity weighting ## Manager ### Useful KPIs * percent of products with defined owners and service tiers * percent of releases with required security evidence * percent of tier-1 apps covered by core controls * median age of critical findings by business unit * quality gate stability and bypass rate ## Architect ### Useful KPIs * percent of reference architectures with security control patterns * percent of new services built on paved-road modules * percent of identity and network patterns aligned to standard blueprints * number of repeated classes of design defects eliminated by architecture changes ## Security Champion ### Useful KPIs * participation in threat modeling and release reviews * local remediation follow-through in the champion’s team * reduction in repeat misconfigurations within the team * training or enablement activity tied to fewer repeat issues ## Director ### Useful KPIs * risk debt trend for critical applications * release confidence for business-critical products * coverage of preventive controls across the portfolio * exception governance health * customer or audit evidence readiness * security work that reduced friction, not only risk ## Good director KPI statements * “Reduce median age of exploitable critical findings in tier-1 services from 30 days to 10 days.” * “Move 85% of tier-1 repositories to centrally managed pipeline security templates.” * “Cut secret exposure rate per 1,000 commits by half through local scanning and push protection.” * “Attach security evidence to 95% of regulated or enterprise-facing releases.” ## Bad KPI statements * “Close more vulnerabilities.” * “Do more threat models.” * “Increase awareness.” * “Improve security culture.” ## Cross-links * [📊 Product Security Maturity, Scale, and Business Translation](/metrics-audit-risk-evidence-and-compliance/index/product-security-maturity-metrics-and-business-translation.md) * [📈 Product Security Director Metrics](/metrics-audit-risk-evidence-and-compliance/index/product-security-director-metrics.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/metrics-audit-risk-evidence-and-compliance/index/role-based-kpis-for-product-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.