Why should risk be calculated?
Relying on CVSS alone is simply not enough when prioritizing vulnerabilities. It's crucial to understand that vulnerabilities are forever subjective—exploiting the same exact vulnerability will have a different impact on different environments and, as such, should be treated differently. Having this in mind, organizations ought to prioritize vulnerabilities according to the specific risk they pose to their environment, and the Vulcan Cyber ExposureOS platform automatically calculates this risk for you.
Vulcan Cyber ExposureOS risk algorithm
Our risk algorithm intelligently incorporates different contextual attributes to produce a dynamic risk score for each finding (instance) in your environment.
Our risk score is dynamic, personalized, and customizable. The platform allows you to create your own risk model by setting weights for the different components of the algorithm based on your organization's own risk focus and risk appetite.
The Vulcan Cyber ExposureOS risk algorithm also applies uniformly to different types of vulnerabilities, whether infrastructure, AppSec, or container vulnerabilities. They are all rated on a single scale of 0 to 100.
How does Vulcan Cyber ExposureOS calculate the risk of a vulnerability?
In Vulcan Cyber ExposureOS, the risk score of a finding (instance) is a calculation of 3 factors:
Technical severity – CVSS or other scores as provided by the scanning vendor.
Threats – Exploits, malware, and other threat intelligence in the wild.
Tags – The impact (High, medium, low) of tags on the vulnerable assets. This determines how impactful a vulnerability breach will be to your business.
The risk model takes into account these 3 factors and calculates, according to the weights set by you following your organization's risk focus and risk appetite, your personalized risk score for this finding (instance). To dig deeper into this topic, see Risk Calculation - Deep Dive.
Risk Levels
Vulcan Cyber ExposureOS groups risk scores into buckets, similar to CVSS v3.0. Each risk level is color-coded: red for Critical, orange for High, yellow for Medium, and grey for Low/None.
Risk Level | Example | Numeric Score |
Critical |  | 90-100 |
High | 
| 70-89 |
Medium | 
| 40-69 |
Low | 
| 1-39 |
None |  | 0 |
You can filter the vulnerabilities results by Risk Level:
Manually editing risks
Vulcan Cyber ExposureOS risk algorithm intelligently incorporates different contextual attributes to produce a dynamic risk score for each finding (instance) in your environment.
However, sometimes, assets or vulnerabilities might occur under specific special circumstances, requiring you to determine their risk score manually. A vulnerability that would otherwise pose a Critical risk could be manually brought down to a Low if the asset it affects has a compensating control, such as a firewall that would mitigate the vulnerability. Click here to learn how to edit risk manually.
From atomic risk to risk mass
What is an atomic risk?
Atomic risk is the risk of a finding (instance) based on the technical risk, threats, and asset impact (tags).
What is Risk mass, and why is it important?
Risk mass is the sum of all the calculated atomic risks of all findings (instances) at a given time. Risk mass is calculated at macro and micro levels.
The reason for following a risk mass is to understand its volume. The larger the risk mass is, the more findings (instances) it contains.
Risk mass of the entire Organization (All business groups).
Risk mass per Business Group.
Risk mass per Vulnerability Cluster.
Risk mass per Remedy.
