How the Business Risk Score is calculated
This tool does not replace CVSS, EPSS, CISA KEV or enterprise vulnerability management platforms. It creates a transparent contextual business risk score by combining technical severity, exploitation likelihood, asset exposure, business impact and compensating controls.
Model overview
The model starts with CVSS as the technical baseline. It then adds contextual factors that are normally missing from raw CVSS prioritization: exposure, asset type, exploit maturity, EPSS, KEV, data sensitivity, business criticality, patch complexity and compensating controls.
Score ceiling: The composite is capped at 100, so on highly exposed findings the raw total can exceed the ceiling before compensating controls are applied, absorbing part of their visible effect on the final score. When this occurs, the risk summary shows the pre-mitigation exposure score and the number of points absorbed by the cap.
CVSS technical baseline
CVSS remains the technical severity input. The business score does not overwrite CVSS; it uses CVSS as one part of a broader prioritization model.
Exposure scoring
Exposure is one of the strongest business risk drivers because it changes how reachable the vulnerable asset is.
| Factor | Points | Reason |
|---|---|---|
| Internet-facing | +20 | Directly reachable from the public internet |
| Internal prod | +12 | Reachable within the production network |
| Dev/Test | +4 | Isolated from production systems |
| Air-gapped | 0 | No network path to sensitive systems |
Asset impact scoring
Different asset types have different blast radius. Identity, edge and database systems are weighted higher than workstations or dev/test systems.
| Factor | Points | Reason |
|---|---|---|
| Identity (IdP/AD) | +18 | Credential compromise affects entire estate |
| Internet edge | +16 | Public-facing perimeter with direct attacker access |
| Database | +14 | Contains sensitive or regulated data |
| Workstation | +6 | Limited blast radius in most configurations |
Exploit maturity scoring
The model increases urgency when exploitation is known, weaponized or publicly demonstrated.
| Factor | Points | Reason |
|---|---|---|
| Confirmed in wild | +20 | Active exploitation documented by reliable sources |
| PoC public | +14 | Weaponized exploit code publicly available |
| Theoretical | +4 | No known exploitation path or public code |
| Not applicable | 0 | No exploit path exists |
EPSS scoring
EPSS represents probability-oriented exploit intelligence. Higher EPSS increases the score.
| Factor | Points | Reason |
|---|---|---|
| ≥ 90% | +20 | Extremely high exploit probability per FIRST EPSS |
| 50–89% | +12 | High exploit probability |
| 10–49% | +6 | Moderate exploit probability |
| < 10% | 0 | Low exploit probability |
Business criticality scoring
Business importance changes remediation priority even when technical severity is the same.
| Factor | Points | Reason |
|---|---|---|
| Mission critical | +16 | Disruption causes immediate business impact |
| Business important | +10 | Disruption degrades key business processes |
| Standard | +4 | Low business dependency |
| Low | 0 | Minimal business function dependency |
Data sensitivity scoring
Regulated, financial, personal or confidential data increases business impact.
| Factor | Points | Reason |
|---|---|---|
| Regulated (PCI/HIPAA/GDPR) | +16 | Breach triggers regulatory notification obligations |
| Financial | +12 | Financial data exposure increases impact |
| Confidential | +8 | Internal sensitive data at risk |
| Public | 0 | No sensitive data at risk |
Patch complexity scoring
Difficult patching increases the exposure window and may require compensating controls.
| Factor | Points | Reason |
|---|---|---|
| Requires downtime | +10 | Patch window must be scheduled, increasing exposure |
| Requires testing | +6 | Regression risk slows remediation |
| Simple | 0 | Drop-in patch with no disruption |
Compensating controls
Controls reduce urgency but do not remove the underlying vulnerability.
| Factor | Points | Reason |
|---|---|---|
| Network isolation | -10 | Segmentation limits reachability |
| WAF / virtual patch | -8 | Active filtering reduces exploitation likelihood |
| MFA enforced | -6 | Credential-based exploitation harder |
| EDR monitoring | -4 | Active detection reduces dwell time |
KEV and authentication adjustments
Known-exploited vulnerabilities represent active, real-world attack activity and require urgent treatment.
Requires credentials, reducing the pool of potential attackers and exploitation speed.
No credential barrier; any network-reachable attacker can attempt exploitation.
Future enrichment sources
In the production version, manual inputs can be automatically enriched from public security sources. Internal business context will still need to come from the user, CMDB, asset inventory or vulnerability management platform.
CVE description, CVSS score, vector, affected products and references.
Exploit probability score and percentile for known CVEs.
Known exploited vulnerability status and remediation urgency.