KPI & Score Reference
Every score, grade, and KPI in the platform — with the exact formula behind each one.
On this page:
Security Score Endpoints · Security dashboard
A penalty-based score calculated after each scan. Starts at 100 and subtracts penalties across 5 components. Clamped to 0–100.
| Component | Max penalty | What triggers it |
|---|---|---|
| TLS Weakness | 25 |
Protocol version base: no TLS=25, TLS 1.0=25, TLS 1.1=20, TLS 1.2 + weak cipher=10, TLS 1.2 + strong cipher (GCM/ChaCha)=5, TLS 1.3=0 Legacy support: TLS 1.0 still accepted=+5, TLS 1.1 still accepted=+3 Cipher probe: each accepted weak cipher category adds CRIT=+8, HIGH=+5, WARN=+2 |
| Certificate Issues | 25 |
Expiry: expired=25, ≤7 days=20, ≤30 days=15, ≤90 days=5, >90 days=0 Weak key (leaf): ≤1024-bit=+10, ≤2048-bit=+5 SHA-1 signature on leaf certificate=+5 |
| CVE Exposure | 25 |
Active CVEs on the service: CRIT × 10 + HIGH × 6 + WARN × 2 Example: 1 CRIT + 2 HIGH = 10 + 12 = 22 penalty points |
| HTTP Headers | 15 | Missing security headers: HSTS=5, CSP=4, X-Frame-Options=2, X-Content-Type-Options=2, Referrer-Policy=1, Permissions-Policy=1 |
| Chain & Revocation | 10 |
CA cert in chain expiring ≤30 days=5, ≤90 days=3 Revocation check failed=+5 |
Grade thresholds:
Uploaded, ACME, and CSR-imported certificates skip the TLS Weakness and HTTP Headers components (marked N/A) since those components require a live TLS handshake.
Technical Score Endpoint list · Overview
The Technical Score is identical to the Security Score — it is the raw output of the 5-component penalty model (0–100). It is cached on the endpoint record after each scan and used as the input to the Business Priority calculation.
Business Priority Endpoint list · Overview
Adjusts the Technical Score for real-world risk context: internet-facing and business-critical endpoints are weighted higher. Clamped to 0–100.
Exposure multiplier (base 1.0, capped at 1.5):
| Condition | Adds |
|---|---|
| Internet-facing | +0.20 |
Wildcard certificate (*.example.com) | +0.05 |
| Certificate shared with >1 endpoint | +0.10 |
| Internal / private | +0.00 |
Business impact multiplier (set per endpoint):
| Criticality | Multiplier |
|---|---|
| Critical | × 2.0 |
| High | × 1.5 |
| Normal (default) | × 1.0 |
| Low | × 0.7 |
exposure = min(1.0 + 0.20 + 0.05, 1.5) = 1.25
impact = 2.0
priority = min(60 × 1.25 × 2.0, 100) = min(150, 100) = 100
Compliance Score Reports · Executive dashboard
Measures finding density across your entire infrastructure. Unlike the Security Score (per endpoint), this score accounts for the number of active endpoints so it scales with infrastructure size.
normalized_penalty = raw_penalty ÷ number_of_enabled_endpoints
compliance_score = clamp(100 − normalized_penalty, 0, 100)
A score of 80 or above is generally acceptable for most compliance frameworks. Below 60 indicates a high finding density that warrants immediate remediation.
The Average Grade shown alongside this score is the average Security Score across all endpoints that have completed at least one scan, converted to a letter grade using the same thresholds as above.
Attack Path Risk Score Attack Paths dashboard
Each discovered attack path through your infrastructure is scored 0–100. The score combines five independent dimensions to reflect both likelihood and potential impact.
internet_exposure // max 25
+ max_cve_severity // max 25
+ exploit_density // max 15
+ target_impact // max 20
+ shadow_bonus // max 10
+ depth_modifier // max 5
, 0, 100)
| Component | Max | How it is calculated |
|---|---|---|
| Internet exposure | 25 | 25 if the path starts from a public internet entry point, 0 if fully internal |
| Max CVE severity | 25 | CVSS ≥ 9.0 → 25 pts (full). Otherwise: (CVSS / 10) × 25 |
| Exploit density | 15 | min(CVE count × 3, 15) — more vulnerabilities on the path = higher density |
| Target business impact | 20 | Critical=20, High=14, Normal=8, Low=4. No criticality set + CVEs present → 14 (fail-secure) |
| Shadow infrastructure bonus | 10 | +10 if the path passes through an unmanaged or shadow service |
| Path depth modifier | 5 | max(0, 5 − (depth − 2)) — shorter paths score higher (fewer hops = easier to exploit) |
Risk bands:
| Band | Score |
|---|---|
| Critical | ≥ 70 |
| High | 40–69 |
| Medium | 20–39 |
| Low | 0–19 |
Mitigation Priority Score Recommendations dashboard
Ranks remediation recommendations by expected return — combining how much risk it removes, how urgent it is, how exploitable the vulnerability is, how many assets it covers, and how much effort it requires.
risk_reduction × 0.40 // max 40
+ urgency_score × 0.25 // max 25
+ exploitability × 0.15 // max 15
+ breadth_score × 0.10 // max 10
− effort_penalty × 0.10 // max −10
, 0, 100)
| Input | Values |
|---|---|
| Urgency score | Immediate=100, Soon=70, When possible=30 |
| Exploitability | min(CVE count × 5 + max CVSS × 8, 100) |
| Breadth score | Scales with the number of distinct affected hosts and services |
| Effort penalty | High effort reduces the priority score — easy wins rank higher |