Skip to content

Risk Scoring

CVSS scores an isolated vulnerability. Escape's Risk Score scores what actually matters: a finding's real exploitability in your environment, against your data, in your threat model. Risk Score is what the triage queue sorts on, and what executive reporting rolls up.

What Goes Into a Risk Score

Every finding carries a Risk Score between 0 and 100, derived from:

  • CVSS base where a CVE applies. That's the starting point, not the final answer.
  • Exploitability in context: does the finding have a Proof of Exploit? Can the agent reach it unauthenticated? Is it chainable with another finding on the same asset?
  • Blast radius: how much data does the vulnerable endpoint touch? PII, payment data, credentials, and health data all push the score higher.
  • Surface weight: a finding on a public production asset scores higher than the same finding on an internal staging asset.
  • Identity crossing: if exploiting the bug crosses a privilege boundary (BOLA, privilege escalation, tenant breach), the score bumps hard.

How It's Presented

  • Per-finding: a single number plus the contributing factors, so triage engineers can see why the score is what it is.
  • Per-asset: the aggregate risk the asset carries today, trended over time.
  • Per-team: the aggregate risk in each owning team's portfolio, so monthly reviews start with the right priorities.
  • Per-framework: how much of a framework's control set is currently failing (see Compliance Frameworks).

Tuning

Risk Score is deterministic. The factors above combine through a published formula, not a hidden model. If your threat model weighs one factor differently (for example, you don't care about internal staging), you can override the weights at the organization level so the queue sorts to your truth, not ours.

See Results and Issues Triage for how Risk Score drives the triage queue in the UI.