Endpoint Risk Score Calculator

Calculates a composite endpoint risk score (0–100) using vulnerability severity, patch lag, network exposure, and asset criticality — based on the CVSS-influenced risk scoring model.

Formula

Step 1 — Severity Score:
SeverityScore = CVSS / 10

Step 2 — Patch Lag Score (log-normalised):
PatchLag = log(1 + PatchDays) / log(1 + 365)

Step 3 — Vulnerability Density Score (log-normalised):
VulnDensity = log(1 + VulnCount) / log(1 + 500)

Step 4 — Weighted Base Score:
BaseScore = (0.35 × SeverityScore) + (0.25 × PatchLag) + (0.20 × VulnDensity) + (0.20 × ExposureNorm)
where ExposureNorm = (ExposureFactor − 0.4) / 0.6

Step 5 — Apply Criticality & Mitigation:
MitigatedScore = BaseScore × CriticalityMultiplier × AVFactor

Step 6 — Scale to 0–100:
RiskScore = clamp((MitigatedScore / 1.25) × 100, 0, 100)

Risk Bands: Low (<20) · Moderate (20–39) · High (40–59) · Critical (60–79) · Severe (≥80)

Assumptions & References

  • CVSS Base Score sourced from NIST NVD (nvd.nist.gov) or vendor advisories; scores range 0–10 per CVSSv3.1.
  • Patch lag uses a logarithmic scale to reflect diminishing marginal risk increase beyond 180 days, consistent with CIS Control 7 (Continuous Vulnerability Management).
  • Vulnerability density is log-normalised over a practical ceiling of 500 CVEs per endpoint.
  • Network exposure factors (0.4 / 0.7 / 1.0) are derived from the CVSS Attack Vector metric mapping (Local → Network).
  • Asset criticality multipliers align with NIST SP 800-30 asset valuation tiers.
  • AV/EDR mitigation factors reflect empirical detection rate ranges from AV-TEST Institute benchmarks (up-to-date EDR ≈ 60% risk reduction).
  • Composite weighting (35/25/20/20) is adapted from the FAIR (Factor Analysis of Information Risk) model, prioritising vulnerability severity and patch currency.
  • Maximum theoretical score denominator (1.25) corresponds to a Critical asset with no mitigations and full exposure.
  • This calculator provides a relative risk indicator and does not replace a full penetration test or formal risk assessment.

More Calculators

In the network

Network