All Collections
Risk and SPR
How Risk Calculation Works
How Risk Calculation Works

Learn why risk calculation is important and how our algorithm works

Updated over a week ago


Why should risk be calculated?

When prioritizing vulnerabilities, relying on CVSS alone is simply not enough. It’s crucial to understand that vulnerabilities are forever subjective - exploiting the same exact vulnerability will have a different impact on different environments and, as such, should be treated differently. Having this in mind, organizations ought to prioritize vulnerabilities according to the specific risk they pose to their environment, and the Vulcan platform automatically calculates this risk for you.

Vulcan risk algorithm

Our risk algorithm intelligently incorporates different contextual attributes to produce a dynamic risk score for each vulnerability instance in your environment.

Our risk score is dynamic, personalized, and customizable. The platform allows you to create your own risk model by setting weights for the different components of the algorithm by your organization's own risk focus and risk appetite.

Vulcan's risk algorithm also applies uniformly across different types of vulnerabilities, whether they are infrastructure, AppSec, or container vulnerabilities. They are all rated on a single scale of 0-100.

How does Vulcan calculate risk for a vulnerability?

In Vulcan, the risk score of a vulnerability instance (AKA, atomic risk) is a calculation of 3 factors:

  • Technical severity – CVSS or other scores as provided by the scanning vendor.

  • Threats – Exploits, malware, and other threat intelligence in the wild.

  • Tags – The impact (High, medium, low) of tags on the vulnerable assets. This determines how impactful a vulnerability breach will be to your business.

The risk model takes into account these 3 factors and calculates, according to the weights set by you following your organization's risk focus and risk appetite, your personalized risk score for this vulnerability instance. To dig deeper into this topic, see Risk Calculation - Deep Dive.

Risk Levels

Vulcan groups risk scores into buckets, very similarly to CVSS v3.0. Each risk level is color-coded: red for Critical, orange for High, yellow for Medium, and grey for Low/None.

Risk Level


Numeric Score











You can filter the vulnerabilities results by Risk Level:

Manually Editing Risks

Vulcan’s risk algorithm intelligently incorporates different contextual attributes to produce a dynamic risk score for each vulnerability instance in your environment.
However, sometimes assets or vulnerabilities might occur under specific special circumstances, which would require you to determine their risk score manually. A vulnerability that would otherwise pose a Critical risk could be manually brought down to a Low if the asset it affects has a compensating control such as a firewall that would mitigate the vulnerability. Click here to learn how to edit risk manually.

From atomic risk to risk mass

What is an atomic risk?

Atomic risk is the risk of a vulnerability instance based on the technical risk, threats, and asset impact (tags).

What is Risk mass, and why is it important?

Risk mass is the sum of all the calculated atomic risks of all vulnerability instances at a given time. Risk mass is calculated at macro and micro levels.

The reason behind following a risk mass is understanding the volume of the risk. The larger the risk mass is, the more vulnerability instances it contains.

  • Risk mass of the entire Organization (All business groups)

  • Risk mass per Business Group

  • Risk mass per Vulnerability Cluster

  • Risk mass per Remedy

Did this answer your question?