How is the risk level calculated? scans for a wide variety of web or network vulnerabilities. Each vulnerability has a different impact and needs to be addressed accordingly. Learn how we calculate risk and which findings you should remediate first.
Written by Adina Mihaita
Updated 2 years ago

Each finding discovered by vulnerability scanners will be classified into one of the following Risk Levels. This is calculated according to each vulnerability severity level, based either on the CVSS score or according to the scan engine default (ex: OpenVAS) and our internal logic.

  1. 🟢 Informational - these findings have no severity associated and can be treated at your convenience; you can also choose to exclude them from the reporting
  2. 🔵 Low (<4) - The low-risk vulnerabilities do not usually have a strong impact on the organization's business and might require a potential intruder to have local or physical access system access of the target
  3. 🟠 Medium (>=4) - A medium-risk would require a potential intruder to use at least some amount of individual target manipulation in order to be exploited, but they shouldn't be ignored
  4. 🔴 High (>=7.5) - The risks rated as high could be exploited fairly easily by potential intruders, if high risks are exploited, this could result in significant downtime and/or significant data loss so you should treat these first

CVSS (Common Vulnerability Scoring System) is a standardized system for ranking security vulnerabilities. The score is based on multiple parameters, including:

  • How easy it is to exploit the vulnerability
  • Its potential impact
  • Whether an attack can be carried out remotely

It is not fully possible to determine the CVSS score from an outside perspective, so you need to review vulnerabilities with low CVSS scores and evaluate their impact on your system. Further information about CVSS and a score calculator can be found at NIST (National Institute of Standards and Technology).

Any finding's risk level can be manually changed if you consider that the impact for your business is higher or lower than indicated by our scanners.

Did this answer your question?