Skip to content
English
Go to ethiack.com
  • There are no suggestions because the search field is empty.

Understanding Your Risk Score

The Risk Score is a dynamic, 0-10 rating that quantifies your organization's security posture. You can view your current score at any time directly on the main dashboard of the Ethiack Portal.

Unlike static reports that only change when you run a new scan, our engine recalculates your score periodically (typically hourly). This ensures that time-sensitive factors (such as a vulnerability crossing its SLA deadline or a penetration test becoming stale) are reflected in near real-time.

The score considers not just what the vulnerability is (CVSS), but where it is (Asset Tier), how likely it is to be exploited (EPSS/KEV), and how long it has been ignored.

The scale

The score is normalized on a simple scale of 0 to 10, where 0 represents the ideal target state and 10 represents critical exposure.

  • 0: Lowest possible risk (Ideal state)
  • 10: Highest possible risk (Immediate action required)

The goal is to keep your score as close to 0 as possible by managing vulnerabilities and maintaining asset coverage.

How It Is Calculated

Our algorithm processes your data in four distinct stages.

1. The Vulnerability Score (Per Finding)

Every single finding is evaluated individually based on four key factors:

  • Severity (CVSS): The intrinsic technical severity of the bug.
  • Asset Context: We apply a multiplier based on the asset_tier where the finding exists.
    • High Tier: 2.0x Multiplier (Risk is doubled)
    • Medium Tier: 1.5x Multiplier
    • Low Tier: 0.5x Multiplier (Risk is halved)
  • Threat Intelligence (Likelihood): We use real-world threat data to increase the score if a vulnerability is actively weaponized.
    • KEV (Known Exploited Vulnerabilities): If a bug is in the CISA KEV catalog, it receives maximum priority.
    • EPSS (Exploit Prediction Scoring System): A high probability of exploitation increases the score.
  • SLA & Aging: Old vulnerabilities hurt your score more than new ones. If a finding remains open past its SLA (Service Level Agreement), a "Time Penalty" applies. This penalty grows daily, up to a cap of 3x.

Note: Findings in the CISA KEV list have a strict 1-day SLA override. They must be remediated immediately, or they will rapidly degrade your score.

2. Aggregation: "The Burning Fire"

Once every finding has a point value, we combine them using a "Burning Fire + Noise" approach:

  • The Burning Fire: The single most dangerous finding contributes its full point value.
  • The Noise: All other findings are aggregated mathematically (using an L2 Norm) to represent "background noise."

This ensures a single Critical vulnerability on a High-value asset instantly spikes your score, while preventing thousands of "Low" vulnerabilities from artificially inflating your risk to Critical.


3. Global Multipliers

We apply multipliers to your aggregated score based on your security governance:

  • Pentest Staleness: If you haven't performed an on-demant penetration test in our platform in over 90 days, your score is penalized (up to +20%).
  • Asset Coverage Gap: If we are only scanning 80% of your assets, we multiply the risk of the findings we do see, assuming similar risks exist in the shadows.

4. The "Unknown Risk" Baseline

Finally, we add "Baseline Points." Even if you have zero findings, you cannot achieve a perfect score if you have significant blind spots.

  • Unscanned Assets: Points are added for every percentage of infrastructure not covered by scanning.
  • No Pentest: Points are added if no In-Depth testing has been performed.

Remediation SLAs

To keep your score healthy, you must remediate findings within these timeframes (in days):

Asset Tier

Critical

High

Medium

Low

High

7

14

30

60

Medium

14

30

60

90

Low

30

60

90

120

Note: Any finding listed in CISA KEV has an override SLA of 1 Day.

How to Lower Your Score

If your score is high, prioritize actions in this order for the fastest impact:

  1. Fix KEVs: Remediation of Known Exploited Vulnerabilities stops the maximum threat multiplier and strict SLA penalties.
  2. Target High-Asset Criticals: Fix Critical CVSS issues on "High" tier assets. These are your "Burning Fires."
  3. Close Overdue Issues: Identify findings that have passed their SLA. These carry a heavy time penalty multiplier (up to 3x).
  4. Increase Coverage: Ensure 100% of your assets are being scanned to remove the "Gap Multiplier."
  5. Launch a Pentest: Launch an on-demand pentest to remove the staleness penalty.

 

Frequently Asked Questions

Q: How often is the score updated?

A: The score is recalculated periodically (typically hourly). Because the algorithm relies on "days open" and SLA timers, your score is refreshed throughout the day to capture the aging of vulnerabilities, even if no new vulnerabilities have been found.

Q: Why did my score go up without new vulnerabilities?

A: This is likely due to Aging. If existing vulnerabilities cross their SLA threshold, or if your last on-demand Pentest became older than 90 days, your score increases automatically during the periodic calculation to reflect the growing risk of inaction.

Q: Can I get a score of 0?

A: Yes, but only if you have 0 open findings, 100% asset coverage, and a recent penetration test. A score of 0 represents a mathematically "perfect" state of distinct observability and remediation.