FOSSA Logo
D
DevOps
Performance
Metrics
Software Delivery

DevOps Research and Assessment (DORA)

A research program that establishes metrics and benchmarks for measuring software delivery performance and organizational effectiveness in technology organizations.

What is DevOps Research and Assessment (DORA)?

DevOps Research and Assessment (DORA) is a research program that studies the capabilities and practices that drive high performance in software development and delivery. Initially established by Dr. Nicole Forsgren, Jez Humble, and Gene Kim, DORA was later acquired by Google Cloud. The program is best known for publishing the annual State of DevOps reports and establishing the DORA metrics, which have become industry standards for measuring software delivery performance.

DORA's research provides data-driven insights that help organizations benchmark their performance and identify pathways for improvement in their software development processes, with particular attention to how these processes affect organizational outcomes.

DORA Metrics

The Four Key Metrics

DORA identified four key metrics that indicate high-performing technology organizations:

  • Deployment Frequency: How often an organization successfully releases to production

    • Elite performers: Multiple deployments per day
    • Low performers: Between once per month and once every six months

  • Lead Time for Changes: The time it takes to go from code committed to code successfully running in production

    • Elite performers: Less than one hour
    • Low performers: Between one month and six months

  • Mean Time to Recovery (MTTR): How long it takes to restore service when an incident or defect occurs

    • Elite performers: Less than one hour
    • Low performers: Between one week and one month

  • Change Failure Rate: The percentage of changes that result in degraded service or require remediation

    • Elite performers: 0-15%
    • Low performers: 46-60%

The Fifth Metric (Added in 2021)

  • Reliability: A measure of how well a service meets its availability and performance requirements
    • Measured through Service Level Objectives (SLOs) and Service Level Indicators (SLIs)

Performance Categories

Based on these metrics, DORA classifies organizations into four performance categories:

  1. Elite Performers: Organizations that excel in all key metrics
  2. High Performers: Organizations with strong performance but not at elite levels
  3. Medium Performers: Organizations with average performance across metrics
  4. Low Performers: Organizations struggling with long lead times and recovery times

Technical Capabilities that Drive Performance

DORA research has identified several key technical capabilities that correlate with high performance:

Version Control

All production artifacts are stored in version control, with comprehensive history and audit trails.

Continuous Integration

Code changes are automatically built, tested, and prepared for release.

Trunk-Based Development

Short-lived branches and regular merges to trunk/main branch to minimize integration challenges.

Loosely Coupled Architecture

Systems that can be changed, tested, and deployed independently of each other.

Continuous Testing

Tests are executed automatically as part of the delivery pipeline, providing fast feedback.

Deployment Automation

Deployment processes are fully automated, reducing manual effort and risk.

Shift Left on Security

Security considerations and testing are integrated early in the software development lifecycle.

Continuous Delivery

Software is always in a releasable state through rigorous automation and testing.

Cultural Capabilities that Drive Performance

In addition to technical practices, DORA research highlights cultural and organizational factors:

Transformational Leadership

Leaders inspire and motivate teams while enabling necessary organizational change.

Psychological Safety

Team members feel safe to take risks, voice concerns, and propose ideas without fear of negative consequences.

Learning Culture

Organizations prioritize continuous learning and improvement, with blameless postmortems and regular retrospectives.

Clear Change Approval Processes

Streamlined processes that emphasize automated controls over manual approvals.

Implementing DORA in Organizations

Getting Started

  1. Measure Current Performance: Establish baselines for the four key metrics
  2. Identify Constraints: Determine what's holding back improvement
  3. Target Specific Capabilities: Focus efforts on the capabilities most likely to address constraints
  4. Iterative Improvement: Make small, incremental changes and measure their impact

Common Challenges

  • Measurement Difficulties: Establishing consistent, automated measurement of metrics
  • Cultural Resistance: Overcoming resistance to changes in work practices
  • Technical Debt: Legacy systems that impede implementation of key capabilities
  • Balancing Speed and Stability: Improving delivery speed without sacrificing reliability

DORA and Security

DORA research has increasingly focused on the relationship between DevOps practices and security outcomes:

  • Organizations implementing DevOps practices are 1.8 times more likely to have robust security integrated into the software development process
  • Elite performers are 2.2 times more likely to have proper security tooling in place
  • High-performing organizations include security professionals in their software delivery lifecycle from the beginning

The Business Impact of DORA

Organizations that excel in DORA metrics typically see significant business benefits:

  • Improved Time to Market: Faster delivery of features and fixes
  • Better Quality: Lower defect rates and improved reliability
  • Increased Innovation: More time for new features versus maintaining or fixing existing systems
  • Higher Employee Satisfaction: Reduced burnout and increased retention
  • Better Business Outcomes: Enhanced organizational performance and competitiveness

Relationship to Other Frameworks

DORA and DevSecOps

DevSecOps extends DevOps principles to include security as a shared responsibility throughout the software development lifecycle, aligning closely with DORA's findings on shifting security left.

DORA and Value Stream Management

Value Stream Management focuses on optimizing the flow of value from idea to delivery, using metrics similar to DORA's to identify bottlenecks and improvement opportunities.

DORA and SLSA

Supply chain Levels for Software Artifacts (SLSA) provides a framework for ensuring supply chain integrity, complementing DORA's focus on delivery performance with additional security considerations.

Evolving Research

DORA continues to evolve its research focus areas, recently expanding to include:

  • Platform Engineering: How internal developer platforms affect productivity and performance
  • Developer Experience: The impact of developer satisfaction on organizational performance
  • Sustainability: How DevOps practices affect environmental sustainability goals
  • AI/ML Operations: Applying DevOps principles to machine learning systems

Related Terms

Build System

Software that automates the process of converting source code into executable applications, handling compilation, linking, packaging, and other build tasks.

DevSecOps

An approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle, from initial development through production deployment and beyond.

Immutable Infrastructure

A model where infrastructure components are never modified after deployment; instead, they are completely replaced with new instances when changes are needed.

Software Supply Chain

The full lifecycle and pipeline involved in developing, building, packaging, distributing, and deploying software—including dependencies, tools, infrastructure, and people.