What are the main KPIs that need to be implemented to have better posture in vulnerability projects?

To measure the effectiveness of your vulnerability management program. The below are some main KPIs to consider:

- Vulnerability Scan Coverage

- Vulnerability Remediation Rate

- Time to Remediation

- Critical Vulnerability Exposure

- False Positives Rate

- Asset Inventory Accuracy

- Patch Compliance Rate

- Open vs. Closed Vulnerabilities

- Vulnerability Severity Distribution

- Mean Time Between Incidents (MTBI)

- Cost per Vulnerability Remediation

- User Training and Awareness.

Try the following: 
Categorize all your assets based on function and criticality to the business. 

Tackle remediation based the above  

Separate application vulns from OS 

Work with asset owners (OS and Application Owners) - get their buy in - they do the work so they have to believe in it

Address top risky assets  

Measure risk and vulns count over time for the asset groups you created

Goes without saying monthly, quarterly patching  schedule to push out ongoing released patched

Create a process that address Zero day and test it

Implement a process and stick to it. Vulnerability management is about having a tight process that works.

Focus on prompt remediation, risk prioritization, and coverage, with efficiency improvements as a secondary concern:  
Time to Remediate (TTR), Vulnerability Severity Distribution, Patch Compliance, Vulnerability Detection Rate, False Positive Rate.

Scope - Information Gathering - Information Analysis & Planning - - Select VA tool - Scan - Vulnerability Detection - Remediation Planning - Remediation Execution - Result Analysis - Reporting - Cleanup - Rescan the Task in 90 days - Compare the Result - No gap - Successful VA scanning

Best VA Scanners- Tenable - Qualys