Safeguard
DevSecOps

Security error budgets: gating risk instead of blocking everything

Google's SRE teams have spent an error budget on reliability since 2016 — applying the same model to security turns blanket blocking into risk-weighted gating.

Safeguard Research Team
Research
7 min read

Google's Site Reliability Engineering book, published in 2016, introduced a mechanism that quietly reshaped how software teams think about tradeoffs: the error budget. Chapter three lays out the idea plainly — if a service has a 99.9% availability SLO, the remaining 0.1% is a budget the team is allowed to spend on risk, and once it's gone, feature work pauses for reliability work. A decade later, the same math almost never gets applied to security, even though security findings are gated the same way availability once was — as an all-or-nothing veto. Meanwhile the empirical case against that veto model keeps building: Forsgren, Humble, and Kim's 2018 book Accelerate, drawing on years of the State of DevOps survey data, found that elite-performing teams deploy far more frequently than low performers and have lower change-failure rates doing it — reliability and security posture were never actually in tension with velocity, the gating model was. This piece walks through why blanket-blocking gates fail the same way a zero-error-tolerance SLO would, and how a risk-weighted, budget-aware gate — using signals like EPSS and CISA's KEV catalog — reconciles the two goals instead of pretending one has to lose.

What is a security error budget, concretely?

A security error budget applies the SRE formula to risk tolerance instead of uptime: define an acceptable quantity of open, lower-severity risk over a rolling window, and treat exceeding it — not any single finding — as the trigger for slowing down. Google's SRE model never defines a "security error budget"; it's an analogy security practitioners and DevSecOps commentators have extrapolated from the reliability chapter, not a formal Google spec. The translation matters because it reframes the unit of measurement. Instead of gating on "does this PR contain a finding," a budget gates on "has this service's open, unaddressed risk crossed a threshold this month." A team might tolerate ten open medium-severity findings with active remediation tickets, but the moment an eleventh appears, or one converts to high-severity, new feature branches get an automatic policy review before merge. That's meaningfully different from a static rule that blocks on any medium finding regardless of trend — it lets teams spend risk deliberately rather than accumulate it by default.

Why does blanket blocking fail even when the policy is well-intentioned?

Blanket blocking fails because it treats every finding as equally urgent, which is provably false at the population level. CVSS alone describes theoretical severity, not the likelihood a given flaw gets exploited — which is exactly the gap FIRST.org built the Exploit Prediction Scoring System (EPSS) to close. EPSS outputs a 0–1 probability that a specific CVE will see exploitation activity in the next 30 days, using observed scanning and exploit data rather than static characteristics. In practice, only a small fraction of published CVEs ever see exploitation in the wild, while CVSS "critical" labels are common; a gate that blocks on CVSS alone spends engineering time uniformly across findings that carry wildly uneven real-world risk. CISA's Known Exploited Vulnerabilities (KEV) catalog exists for the same reason from a different angle: it's a maintained, authoritative list of CVEs with confirmed active exploitation, and it's become the standard signal for "this one can't wait." A gate that blocks only on KEV-listed or high-EPSS criticals, and warns on everything else, spends the same engineering attention far more efficiently.

How do warn, block, and auto-fix map onto a budget model?

Most CI/CD security tooling already exposes a three-tier effect model — block, warn, notify — and a budget model gives that taxonomy a reason to exist beyond severity labels. Block should be reserved for conditions with near-certain downstream cost: a KEV-listed CVE reaching production, a missing SBOM attestation of the kind Executive Order 14028 popularized (federal agencies now have discretion rather than a blanket mandate to require it, following OMB's 2026 revision), or a component falling below a required SLSA (Supply-chain Levels for Software Artifacts) provenance level. Warn covers findings that are real but not urgent enough to halt a merge — a CVSS 7+ finding with a near-zero EPSS score, or a license flag that needs review but not an emergency. Auto-fix is the tier a budget model rewards most: when Griffin AI or an equivalent remediation engine can pin a dependency to the last safe version and open a PR automatically, the finding never has to touch the human-reviewed budget at all, because it's resolved before it accrues. NIST's Secure Software Development Framework (SP 800-218) describes this same layering — controls calibrated to risk rather than uniformly applied — without using budget language itself.

What role do time-boxed exceptions play in a budget model?

Time-boxed exceptions are the mechanism that makes a budget spendable rather than just a lower bar. A pure severity-based block list gives a team exactly one lever: change the threshold. A budget model needs a second lever for the case where a legitimate business reason — a launch deadline, a vendor dependency not yet patched — justifies temporarily carrying risk that would normally block. The pattern that works, and that shows up across CI/CD security tooling generally rather than any single vendor, pairs a request-and-approve workflow with an automatic expiration: a developer requests an exception against a specific finding, an approver with the right authority grants it for a bounded window, and it expires and re-blocks automatically rather than requiring someone to remember to revoke it. Emergency "breakglass" exceptions typically require two-person approval and trigger an alert, precisely because they're the case most likely to be forgotten and left open indefinitely. Every exception, granted or expired, belongs in the audit trail — it's the receipt for how the budget was spent.

How do you know if your gates are actually calibrated?

You know a gate is calibrated by watching the trend of allow/warn/block outcomes over time, the same way an SRE team watches burn-rate on an error budget rather than staring at a single incident. A policy that fires BLOCK thousands of times a week isn't protecting anyone — it's training engineers to route around it, request exceptions reflexively, or stop reading the output at all. A policy that never fires isn't necessarily well-tuned either; it might mean the condition is too narrow to catch anything real. The useful signal is the shape of the distribution across a rolling window: block rate trending down as auto-fix absorbs more findings, warn volume stable and actually getting triaged, exception requests clustering around a small number of known, tracked gaps rather than sprawling across the codebase. Safeguard's own Guardrails documentation describes exactly this measurement loop — an Enforcement dashboard tracking allow, warn, and block trends by policy, team, and asset class, with the explicit guidance that a policy blocking thousands of times a week needs either auto-fix or refinement, not more force.

How does Safeguard support risk-based gating today?

Safeguard's Policies and Gates already implement the mechanics a budget model needs, without calling it that. Policy conditions in Safeguard support CVSS score thresholds, EPSS-based exploitability conditions, and KEV status directly, alongside license and SLSA-level checks — so a policy author can write "block only if severity is critical and the CVE is on CISA's KEV list" rather than blocking on severity alone. Gate effects map to BLOCK, WARN, and AUTO_FIX, and every blocking guardrail supports a time-boxed exception with a documented request-approve-expire workflow, including two-person breakglass approval for emergencies — all recorded in an audit trail. None of this ships under "error budget" branding; that framing is an original lens this post applies on top of real, shipped gate and exception mechanics, not a claim about product terminology. Teams that want to run the budget model described here can build it directly on Safeguard's existing policy conditions and the Enforcement dashboard's allow/warn/block trend data, rather than bolting a separate risk-tracking system on top of their CI/CD pipeline.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.