Understanding our Risk Score, and why it reflects real-world conditions

Link copied!
Image

José Martinho

Head of Engineering

March 5, 2026

In the modern boardroom, the question "How secure are we?" is no longer satisfied by a spreadsheet of 10,000 "Medium" severity findings. For Security Managers and CISOs, the challenge isn't just finding vulnerabilities, it is translating a chaotic flood of technical data into a single, quantifiable narrative that reflects true business risk.

At Ethiack, we believe that a static list of CVEs doesn't equal a security posture. That is why we have overhauled our Risk Score algorithm. It is no longer just about what vulnerabilities you have; it is about where they are, how exploitable they are, and how long they have been ignored.

Why the "Old Way" Doesn't Work

Historically, the industry has relied heavily on the Common Vulnerability Scoring System (CVSS) to prioritize remediation. While CVSS is excellent for determining the technical severity of a vulnerability in isolation (e.g., "is it remote code execution?"), it has a major blind spot: it doesn't account for the real world.

Statistics show that while thousands of CVEs are published annually, only a small percentage are ever exploited in the wild. Prioritizing solely on CVSS often leads to wasted resources on theoretical risks while active threats go unnoticed. A "Critical" vulnerability on a test server sitting behind a firewall does not carry the same organizational risk as a "High" vulnerability on a public-facing payment gateway that ransomware groups are actively targeting today.

To get a true picture of your security posture, we need more than just severity. We need context, probability, and time.

The New Intelligence: EPSS and CISA KEV

To modernize our risk scoring, we have integrated two critical data streams that are reshaping vulnerability management:

  • CISA KEV (Known Exploited Vulnerabilities): Think of this as "ground truth." Maintained by the U.S. Cybersecurity and Infrastructure Security Agency, this catalog lists vulnerabilities that are actively being exploited in the wild. If a vulnerability is on this list, it isn't theoretical, it is happening.
  • EPSS (Exploit Prediction Scoring System): If CISA KEV is the current weather, EPSS is the forecast. Using machine learning models trained on real-world threat data, EPSS predicts the probability (0-100%) of a vulnerability being exploited in the next 30 days. This allows organizations to shift from reactive patching to proactive defense.

By combining these threat-centric metrics with technical severity, we can filter out the noise and focus on the signals that matter.

The New Ethiack Risk Score

Our new Risk Score is a dynamic, 0 to 10 rating updated several times a day to reflect the living nature of your environment. A score of 0 is the ideal, almost utopical, target state, while 10 represents critical exposure requiring immediate action.

Here is a look under the hood at the four stages of our new algorithm and why each parameter matters for your security posture.

The Vulnerability Score - Findings with context

We evaluate every single finding based on four distinct dimensions, moving far beyond a simple CVSS lookup:

  • Asset Context. Not all assets are equal. We apply a multiplier based on the asset tier. A vulnerability on a "High Tier" asset triggers a 2.0x multiplier, doubling the risk. Conversely, "Low Tier" assets receive a 0.5x multiplier, halving the risk. This ensures business impact drives prioritization.
  • Threat Intelligence, or how likely is this to be exploited.We ingest real-time data. If a bug is in the CISA KEV catalog, it receives maximum priority. If it has a high EPSS probability, the score increases proportionally.
  • SLA & Aging. The longer it exists, the more opportunities exist for it to be exploited. Vulnerabilities age like milk, so a finding that remains open past its Service Level Agreement (SLA) incurs a "Time Penalty" that grows daily.

This is even more critical for already exploited vulnerabilities, therefore findings in CISA KEV have a strict 1-day SLA override. If you don't patch a known exploited vulnerability immediately, your score will degrade rapidly.

Differentiate fire from Noise

A common pitfall in risk scoring is summing up thousands of "Low" issues to artificially inflate a risk score to "Critical." We solved this with a "Burning Fire + Noise" approach.

  • The Burning Fire: The single most dangerous finding has a full impact on your organization score
  • The Noise: All other findings are aggregated to represent background noise.

This means a single Critical vulnerability on a High-value asset will instantly spike your score to alert you, while a cluster of minor issues will not distract you with a false sense of panic.

Global Multipliers (Governance Checks)

Your security posture isn't just about bugs; it's about process. We apply multipliers to your score based on your governance hygiene:

  • Pentest Staleness: Continuous, automated, breadth-first testing is vital, but going in depth from time to time cannot be overlooked. If you haven't performed an on-demand penetration test in over 90 days, your score is penalized to reflect the risk of untested logic flaws.
  • Asset Coverage Gap: You can't secure what you can't see. If we are only scanning 80% of your known assets, we multiply the risk of the findings we do see, assuming similar risks hide in the shadows.

The "Unknown Risk" Baseline

Finally, we account for the unknown. Even if you have zero open vulnerabilities, you cannot achieve a perfect score of 0 if you have significant blind spots. Points are added to your baseline for every percentage of infrastructure not covered by scanning or in-depth testing.

You have can check a more detailed explanation of the values we use and how they are applied here.

The Bottom Line

By integrating asset context, predictive threat intelligence (EPSS), and real-world exploitation data (CISA KEV) with strict aging penalties, our Risk Score gives CISOs and Security Managers a metric they can trust, and one they can use to act.

To lower your score - and your real-world risk - the path is clear: fix what matters (KEV and findings in High-Tier assets), maintain your SLAs, and ensure you have eyes on your entire infrastructure.

The Road Ahead: Precision and Segmentation

We aren't stopping at the organizational level. While a top-level Risk Score is essential for executive reporting and macro-level posture management, we know that operational teams need granularity to fight fires effectively. To that end, our roadmap includes two major evolutions designed to make your risk data even more actionable.

The Asset Risk Score: granular visibility

Currently, we use your asset's importance as a multiplier to calculate your organization's total risk. During H1 2026, we will apply these same rigorous principles—severity, threat intelligence, and aging—directly to the individual asset level.

This implementation will generate a specific Asset Risk Score for everything we are testing within your Attack Surface. This shift allows security teams to instantly identify not just that they are vulnerable, but which specific assets are the "weakest links" in the chain. By isolating risk to the asset level, you can prioritize remediation efforts on those high-value assets where a breach would cause the most significant business impact.

Owned vs. Third-Party Risk Segmentation

Modern digital estates are rarely 100% proprietary. They are a complex mesh of internal code and external dependencies. While both contribute to your aggregate risk, the method of remediation differs vastly between fixing a line of code you wrote and mitigating a vulnerability in a third-party vendor's software.

To provide better clarity, we will be introducing segregated risk scores. This feature will split your risk view into two distinct streams:

  • Organization-Owned Technologies: Risks residing in the infrastructure and code you directly control.
  • Third-Party Providers: Risks originating from your supply chain and external vendors.

Supply chain attacks and external dependencies are becoming primary attack vectors. By distinguishing between internal and external risk, we want to empower teams to route issues to the right place immediately, whether that is the engineering team for a patch or the GRC team to enforce vendor SLAs.

Expect these updates to roll out during the first half of this year. We truly believe that your Risk Score should not be just a number, but a strategic tool that evolves as fast as the threat landscape does.

Don’t wait for the attack.

Secure Your Future with Ethiack

Try Ethiack

If you're still unsure convince yourself with a 30-day free trial. No obligation. Just testing.

signup(datetime.now());

def hello(self): print("We are ethical hackers")

class Ethiack: def continuous_vulnerability_discovery(self: Ethiack): self.scan_attack_surface() self.report_all_findings() def proof_of_exploit_validation(self: Ethiack): self.simulate_attack() self.confirm_exploitability() self.validate_impact()

while time.time() < math.inf: ethiack.map_attack_surface() ethiack.discover_vulnerabilities() ethiack.validate_exploits() ethiack.generate_mitigations() ethiack.calculate_risk() ethiack.notify_users() log.success("✓ Iteration complete")

>>> show_testimonials() They found vulnerabilities no one else did. Fast, real, and actionable results. It's like having a red team on call. >>> check_socials()

signup(datetime.now()) meet(ethiack)

def actionable_mitigation_guidance(ethiack): ethiack.generate_mitigation_steps() ethiack.prioritize_fixes() ethiack.support_teams() def attack_surface_management(ethiack): while time.time() < math.inf: ethiack.map_attack_surface() ethiack.monitor_changes() def quantifiable_risk_reduction(ethiack): ethiack.check_risk_metrics() ethiack.calculate_delta() return ethiack.report_real_risk()

Activate AI penTesting

Start a Free 30-day trial
Made by Büro
Ethiack — Autonomous Ethical Hacking for continuous security Continuous Attack Surface Management & Testing