What metrics would you use to measure an AppSec program, and how do you report them to leadership?

Pick metrics that show risk reduction and flow, not vanity counts. Useful ones: MTTR (mean time to remediate by severity), escaped vulnerabilities (found in prod vs. caught pre-release), SLA compliance / aging (open criticals past SLA), coverage (% of apps scanned / threat-modeled), defect density or recurrence by vuln class, and champions/training adoption. Report to leadership in business terms: trend lines (improving or not), risk exposure, and where investment moves the needle — not raw scanner output. Pair leading indicators (coverage, training) with lagging ones (escaped vulns, MTTR). Beware gaming: counting closed tickets can incentivize closing without fixing.