Detection lead time
How far ahead of the advisory we flag it.
When a malicious release shows up in the public OSV advisory database, we go back and check: had PkgRadar already flagged that exact release as high-risk? If so, by how long? Positive lead time is time the rest of the ecosystem did not yet have a public signal — and time your CI could have already been blocking it.
- median 15.0 hours ahead of public disclosure
- average 2.8 days of lead time
- 550 of 696 overlapping malicious releases flagged first
- over the trailing 90 days, updated live
Honest scope: this measures only the overlap — malicious releases that PkgRadar flagged and that later received a public OSV advisory. The denominator above is that overlap set, not all malware and not all packages. It says nothing about packages neither we nor OSV ever flagged. It is a measure of timing on shared ground truth, not of total coverage.
How we measure this
Two timestamps, one rolling window.
Lead time is the gap between two recorded times on the same malicious release.
- first_flagged_at — the moment PkgRadar first marked that release high-risk from static analysis.
- OSV advisory published — the publication timestamp on the matching public OSV advisory.
- Lead = advisory published − first_flagged_at. A positive value means we flagged it first.
- We count a release only when both timestamps exist — the overlap-only denominator described above.
- The figures roll over a trailing 90-day window and refresh live as new releases and advisories land.
We deliberately exclude releases we only first analyzed long after they were already public (historical backfill). Those are not proactive catches, and counting them would flatter the number. This is a security product — the denominator is stated, not buried.
Why it matters
Every hour of lead is an hour the dependency is still blockable.
Public advisories are how most CI gates learn a package is malicious. Until the advisory exists, those gates wave the package through. Each hour PkgRadar is ahead is an hour a malicious dependency could already be failing the gate in your pipeline instead of shipping — and it is independent corroboration of OSV on the releases where both fired.