Skip to main content
All CollectionsRisk and SPR
Security Posture Rating (SPR) and Risk Mass
Security Posture Rating (SPR) and Risk Mass

Learn all about SPR and how to define it

Updated over 10 months ago

About SPR (Security Posture Rating)

SPR is the main KPI driving the Vulnerability Management (VM) program through your Vulcan Platform. It helps you track the progress of the VM program towards its risk-management goal, prioritize remediation resources, and identify strategic risk pitfalls. The SPR helps you understand the overall security posture status and the security status of the various business units (business groups).

This means that the SPR value (in %) is the percentage of scanned assets complying with a defined threshold for maximum risk. Any asset that doesn’t contain any vulnerability over a certain predefined threshold is complying with the risk appetite of the organization.

As a KPI, the SPR measures the percentages of assets that are risk-compliant, within all scanned assets only.

How is the SPR calculated?

Once we have all the pieces in place, the calculation is simple:

  1. Calculate risk scores for all assets - maximal risk of the vulnerability instances that affect the assets

  2. Count the number of assets with risk scores below the SPR threshold

  3. Calculate the percentage of these out of the entire relevant asset population, excluding unscanned assets

SPR KPI is measured and calculated for the entire environment, as well as for each Business Group configured in the platform.

What assets are excluded from the SPR calculation?

Vulcan allows you to ingest CMDB or other asset repository data into the platform to enrich your vulnerability information with business context. A side effect of that ingestion is a plethora of CMDB data which is not necessarily relevant to remediation and does not appear in Vulnerability Assessment scanner data.

Thus, the SPR calculation does not take into account assets for which there is no Vulnerability Assessment data. This means that the asset population that the KPI is measured against is only assets that are scanned by a scanner and could potentially have vulnerabilities discovered on them, even if at any moment they were scanned and found to have 0 vulnerabilities affecting them.

What is a secure asset?

An asset is considered secure when its risk score is below the organizational risk compliance threshold that you have set.

What is an atomic risk?

Atomic risk is the risk of a vulnerability instance based on the technical risk, threats, and asset impact (tags). The KPI is calculated based on the atomic risk for vulnerabilities on a given asset.

What is Risk mass?

Risk mass is the sum of all the calculated atomic risks of all vulnerability instances at a given time.

What is the "SPR Vulcan community average"?

The "SPR Vulcan community average" is a metric that illustrates the average Security Patch Remediation (SPR) within the Vulcan customer community. This average is computed separately for US and European tenants, ensuring region-specific benchmarks. Vulcan offers a valuable benchmarking data by providing a simple average, allowing you to gauge and enhance your security posture.

The SPR Key Performance Indicator (KPI) is a reference point, indicating how other environments maintain an attack surface level aligned with risk policies. It's important to note that customers with tenants in both the US and Europe will observe two distinct averages.

The community average is dynamic and is influenced by the threshold set by each customer. As other customers experience changes in their SPR, the community average will adjust accordingly, reflecting the evolving landscape of security measures.


SPR visibility across your Vulcan Platform

Dashboard page

Vulnerabilities page > Per Business Group

Analytics page > SPR Report


Read next:

Did this answer your question?