Most vulnerability programs reach a point where the finding list stops being useful. Ten thousand open findings spread across two thousand assets tells you the scanners are working. It does not tell you which server to fix first on Monday morning. The number that answers that question is an asset risk score, and the value of that score depends entirely on how it is calculated. A score you cannot explain is a score nobody trusts, and a score nobody trusts gets ignored in favor of gut feeling.
This article walks through exactly how PMAP computes an asset risk score. There is no black box here. The formula has four inputs, every input has a defined weight, and the entire calculation fits in a single line of arithmetic. By the end you will be able to take any asset, look at its findings and its attributes, and reconstruct its risk score by hand. You will also understand the three levers that change a score, which matters when you want the ranking to reflect your environment rather than a generic default.
If you want the wider context of how PMAP builds and tracks the inventory that feeds these scores, the attack surface and asset inventory pillar covers the inventory backbone. This article is narrower. It is about the math, the inputs, and the tuning.
Why a Raw Finding Count Is Not a Risk Score
The simplest way to rank assets is to count their open findings and sort the list. It is also the wrong way, and it is worth being precise about why.
A finding count measures volume. It treats one urgent remote code execution flaw the same as one informational banner disclosure. An asset with forty low-severity findings outranks an asset with two urgent ones, even though the second asset is the one that gets you breached. Counting answers the question “how many problems does this asset have” when the question you actually care about is “how much risk does this asset carry.”
Those are different questions because risk is not uniform. The severity of each finding matters. So does the importance of the asset itself, because the same vulnerability on a test box and on a domain controller does not carry the same consequence. So does whether you are already late on remediation, and whether the asset is reachable from the internet. A count flattens all of that into a single tally and throws away the signal.
PMAP keeps a risk_score field on every asset for exactly this reason. It is computed, not entered by hand, and it folds severity, asset importance, remediation status, and exposure into one comparable number. The analytics layer reads that score to build ranked lists, and the asset list lets you sort by it directly. The rest of this article is about what goes into that number.
A useful way to frame it is the distinction between counting and measuring. Counting tells you how busy your scanners have been. Measuring tells you where the actual exposure sits. A risk score is a measurement, and a measurement is only as good as the formula behind it, so let us look at the formula.
The Asset Risk Score Formula, Step by Step
PMAP computes the asset risk score in a function named computeRiskScore. The whole thing is short enough to state plainly:
base = urgent×12 + critical×10 + high×7 + medium×4 + low×1
factor = criticalityFactor(criticality)
× 1.25 (if sla_breaches > 0)
× 1.20 (if not internal)
score = base × factorThere are two halves. The base is built from the asset’s open findings, weighted by severity. The factor is a multiplier built from three asset-level attributes: how critical the asset is, whether it has any SLA breaches, and whether it is internet-facing. The final score is the base multiplied by the factor.
This same formula drives the per-asset ranking, the top-20 shortlist, and the per-company roll-up. It is one calculation reused in three places, which means the asset score, the company average, and the highest-risk-asset callout all speak the same language. Let us take each input in turn, because each one carries a deliberate choice about what risk means.
Severity Weights: Urgent 12, Critical 10, High 7, Medium 4, Low 1
The base of the score sums the asset’s open findings, with each finding contributing a weight that depends on its severity:
- Urgent: 12
- Critical: 10
- High: 7
- Medium: 4
- Low: 1
Read the curve, not just the numbers. The jump from low to medium is 3 points. From medium to high it is 3 again. From high to critical it is also 3. But the spacing relative to the base value tells the real story. A single high finding is worth seven lows. A single critical is worth ten lows. A single urgent is worth twelve lows. The scale is built so that volume at the bottom cannot quietly outrank a small number of serious problems at the top.
Consider two assets. The first has one urgent finding and nothing else, giving a base of 12. The second has eleven low findings, giving a base of 11. The asset with the single urgent flaw still ranks higher, which is the correct outcome. A pile of cosmetic issues should never bury the one finding that gets you owned.
Note also that informational findings carry no weight in this list. Only urgent, critical, high, medium, and low contribute to the base. Informational findings are tracked for completeness, but they do not move the risk number, because by definition they describe observations rather than exploitable weaknesses. This keeps noise out of the score.
The weights are applied against the asset’s active findings. Closed, accepted-risk, and false-positive findings drop out of the count, so the base reflects the work that is actually outstanding. Fix an urgent finding and the asset’s base drops by 12 the next time the score is computed. The score moves as the remediation work moves, which is the behavior you want from a metric that drives prioritization.
The Criticality Factor
The second input is the asset’s criticality, and this is where the formula stops treating every machine the same. Criticality is an attribute you set on the asset, and it maps to a multiplier:
- Critical asset: 2.0
- High asset: 1.5
- Medium asset: 1.0
- Low asset: 0.5
A medium-criticality asset is the neutral case at 1.0, so it neither inflates nor discounts its base. A critical asset doubles its base. A low-criticality asset halves it. This is the mechanism that lets the same vulnerability rank differently depending on where it lives.
Take a high-severity finding worth 7 in the base. On a critical asset the factor is 2.0, so that single finding contributes 14 to the score. On a low-criticality test box the factor is 0.5, so the same finding contributes 3.5. The vulnerability is identical. The risk is not, because the consequence of compromise is not, and the criticality factor encodes that difference directly. This is what turns a flat severity sum into a risk-based asset prioritization that respects the shape of your environment.
The practical effect is that your most important systems float to the top of the ranking even when their raw finding counts are modest, and disposable infrastructure sinks even when it is noisy. That is the behavior a security lead wants when they open the list to decide where the team spends the week.
The SLA Breach Multiplier
The third input is a flat multiplier that fires when the asset has at least one finding past its SLA deadline:
× 1.25 (if sla_breaches > 0)It is a binary switch, not a sliding scale. The moment an asset accumulates even one SLA breach, its score gets multiplied by 1.25, a 25 percent uplift on top of everything else. An asset with zero breaches gets a factor of 1.0 from this term and is unaffected.
The reasoning is about time, not severity. A finding that has blown its remediation deadline is a different kind of risk from one that is simply open and on schedule. It signals that the normal remediation process did not work for that asset, whether through capacity, ownership gaps, or sheer difficulty. The multiplier pushes those assets up the ranking so they get attention before the backlog grows. It deliberately does not scale with the number of breaches, because the point is to flag the condition of being late, not to reward an asset that is many times late with an ever-larger number. One breach is enough to change the asset’s posture.
This is also why the score is dynamic. Close the breached finding or bring it back inside its deadline and the multiplier drops away on the next computation, pulling the asset back down to where its base and criticality say it belongs.
The Exposure Multiplier for External Assets
The fourth and final input is an exposure multiplier tied to whether the asset is internal:
× 1.20 (if not internal)PMAP carries an is_internal flag on every asset. When an asset is not internal, meaning it is internet-facing or otherwise externally reachable, the formula multiplies its score by 1.20. Internal assets get a factor of 1.0 from this term.
The 20 percent uplift reflects a basic truth of attack surface. A vulnerability reachable from the public internet is exploitable by a much larger population of attackers than the same vulnerability sitting behind the perimeter. Exposure expands the set of people who can reach the flaw, and that expansion is itself a risk amplifier independent of the vulnerability’s technical severity. So the same critical finding on an external web server scores higher than on an internal jump host, because more of the world can knock on its door.
Like the SLA term, this is a flat switch rather than a gradient. The asset is either externally exposed or it is not, and the multiplier reflects that binary reality. The internal versus external exposure factor is one of the cleanest tuning signals in the formula, and we return to it in the tuning section, because keeping the is_internal flag accurate is one of the highest-leverage things you can do for ranking quality.
Putting It Together: score = base × factor
The formula reads cleanly once you have seen each piece. The base is a severity-weighted sum of open findings. The factor is criticality times an optional SLA uplift times an optional exposure uplift. The score is base times factor. Three multipliers compound, so the factor can range from 0.5 for an internal, in-SLA, low-criticality asset all the way up past 3.0 for an external, breached, critical asset.
Work a full example. An external, critical-criticality web server has one critical finding, two high findings, and three medium findings, and one of those findings has breached SLA.
First the base:
critical: 1 × 10 = 10
high: 2 × 7 = 14
medium: 3 × 4 = 12
base = 10 + 14 + 12 = 36Then the factor:
criticality (critical): 2.0
SLA breach present: × 1.25
external (not internal): × 1.20
factor = 2.0 × 1.25 × 1.20 = 3.0Then the score:
score = 36 × 3.0 = 108Now change one attribute and watch the score move. If that same asset were internal instead of external, the factor drops to 2.5 and the score falls to 90. If it also had no SLA breach, the factor drops to 2.0 and the score falls to 72. If it were medium-criticality on top of that, the factor drops to 1.0 and the score lands at 36, equal to its raw base. The arithmetic is fully traceable, which is the whole point. An analyst who disagrees with a ranking can open the asset, read its findings and its three attributes, and see exactly why the number came out the way it did. That transparency is what makes the score defensible in a steering meeting.
Where Asset Criticality Comes From
The criticality factor is the single largest lever in the formula, so it is worth knowing where the value lives and how it gets set. Criticality is a first-class field on the asset, one of critical, high, medium, or low. It is not derived from findings or scans. It is a business judgment about how much the asset matters, and a human or an automated process sets it.
PMAP lets you set criticality when you create an asset, edit it later on the asset detail screen, or change it across many assets at once. The bulk update path is the important one for a real inventory, because criticality is most accurate when it is applied consistently to whole classes of assets. You can select every asset in a production database tier and set them all to critical in a single round-trip, rather than touching each record by hand. The same bulk operation that adds tags and toggles the active flag handles criticality, so reclassifying a fleet after an architecture review is a single action.
Getting criticality right is the highest-return investment you can make in score quality, because it is the only factor that ranges from 0.5 to 2.0, a four-fold swing. The SLA and exposure terms move a score by 25 and 20 percent. Criticality can multiply or halve it. An inventory where everything defaults to medium produces a ranking driven almost entirely by raw severity counts, which is barely better than counting findings. An inventory where criticality genuinely reflects business importance produces a ranking that puts your crown-jewel systems at the top regardless of finding volume.
Ranking: Full List vs Top-20 Shortlist
Once every asset carries a computed score, the analytics layer turns those scores into ranked lists. There are two views, served by two endpoints, and they answer two different questions.
The full ranking returns every in-scope asset with its computed risk score and severity breakdown. It is the exhaustive view, suitable for an asset risk table or a heatmap where you want the whole population sorted by exposure. You can filter it the same way you filter the asset inventory, then read the ranking within that filtered slice. Want the risk order of just your external production assets? Filter to that set and the ranking respects it.
The top-20 shortlist returns the twenty highest-scoring assets in descending order. This is the standing worklist. It answers “what should the team look at right now” without asking anyone to scroll a list of thousands. The shortlist is computed from the same formula and the same scores as the full list, so there is no separate logic to reconcile. The top 20 are simply the head of the full ranking, surfaced on their own so they do not get lost.
The two views complement each other. The shortlist drives daily and weekly prioritization. The full list supports deeper analysis, audit preparation, and any case where you need to see beyond the top of the stack. Both are read-only aggregates. Nothing about ranking writes back to the asset, so opening the ranking never mutates the inventory.
How Company Risk Rolls Up From Asset Scores
Asset scores do not stop at the asset. The same risk calculation rolls up to the company level so an executive can compare business units or subsidiaries without drilling into individual machines.
The per-company risk view aggregates the assets under each company and reports its open finding count, its severity breakdown, the average risk score across its assets, and the name of its single highest-risk asset. The average gives you the company’s overall posture in one number. The highest-risk-asset callout gives you the specific machine dragging that posture down, so the roll-up is both a summary and a pointer to the next action.
Because the company roll-up uses the very same computeRiskScore formula as the asset ranking, the numbers reconcile. A company’s average is the average of asset scores you can each open and verify. Its highest-risk asset is the top entry of that company’s slice of the full ranking. There is no parallel scoring scheme that might drift from the asset-level view, which means an executive dashboard number and the analyst’s asset list are always telling the same story. That consistency is what lets the same metric travel from the engineer’s screen to the board deck without translation, a theme the risk analytics and reporting pillar develops for program-level reporting.
Why Project Risk Uses a Simpler Score
Project risk is scored too, but with a deliberately simpler formula, and the difference is instructive.
A project’s risk score is just the severity-weighted base:
score = urgent×12 + critical×10 + high×7 + medium×4 + low×1There is no criticality factor, no SLA multiplier, and no exposure multiplier. The reason is structural rather than arbitrary. Those three multipliers are asset attributes. An asset has a criticality, an is_internal flag, and SLA timers on its findings. A project does not carry those attributes, so there is nothing to multiply by. Applying a criticality factor to a project would mean inventing a criticality value that the project model does not have.
So the project score uses the part of the formula that genuinely applies, the severity-weighted finding sum, and stops there. This is a good illustration of a principle worth carrying into any scoring design. A score should only use inputs that the thing being scored actually possesses. Borrowing multipliers that do not belong would produce a number that looks precise but means nothing. The simpler project score is honest about what it measures, which is the severity-weighted weight of a project’s open findings.
Tuning Levers: Criticality, Exposure and SLA Posture
The formula’s weights are fixed. You do not change the 12 for urgent or the 2.0 for critical criticality. What you tune instead are the inputs you feed the formula, and there are exactly three of them. Tuning a risk score in PMAP means improving the accuracy of these inputs, not editing the arithmetic.
The first and most powerful lever is criticality. Because it ranges from 0.5 to 2.0, accurate criticality has more effect on ranking than any other single input. The tuning work here is classification discipline. Decide what makes an asset critical, high, medium, or low in your environment, then apply those labels consistently across the inventory, using bulk updates to keep whole tiers aligned. Revisit the classification when the environment changes. A score is only as good as the criticality data behind it.
The second lever is exposure, the is_internal flag. The 20 percent external uplift only helps if the flag is right. An external asset mislabeled as internal loses its uplift and ranks too low. An internal asset mislabeled as external gets an undeserved boost and crowds out genuinely exposed systems. Keeping the internal versus external designation accurate, especially as assets move in and out of internet-facing roles, directly improves the quality of the top of the ranking, which is where attention is most concentrated.
The third lever is SLA posture, and unlike the other two it is not a label you set so much as a condition you manage. The SLA multiplier fires automatically whenever an asset has a breached finding. You do not tune it by editing a field. You tune it by managing your remediation timelines. An organization with tight, well-staffed SLAs will see the multiplier fire on genuinely neglected assets, where it adds real signal. An organization with breaches everywhere will see the multiplier fire constantly, where it adds noise. The lever here is operational. Keep breaches rare and the multiplier stays meaningful.
Taken together these three inputs are the entire tuning surface. The arithmetic is constant, so the score’s behavior is predictable, and the work of making the ranking match your environment is the work of keeping criticality, exposure, and SLA posture accurate. That is a more durable approach than tunable weights, because a fixed formula fed clean data produces a ranking you can explain and defend every time someone asks why an asset is where it is.
How PMAP Ranks the Assets That Matter Most
Pulling the threads together, the asset risk score exists to answer one question: of everything in the inventory, what carries the most risk right now. PMAP answers it with a transparent calculation rather than an opaque model.
Every open finding contributes a severity weight to the base. The base is multiplied by the asset’s criticality, lifted by 25 percent if any finding has breached SLA, and lifted by 20 percent if the asset is externally exposed. The result is one comparable number per asset. Those numbers feed a full ranked list, a top-20 shortlist for the standing worklist, and a company roll-up that reports each business unit’s average score and worst asset. Projects get a simpler severity-weighted score because they lack the asset attributes the multipliers need.
Nothing in the calculation is hidden, which is what makes it useful in practice. An analyst can reconstruct any score by hand. A security lead can explain to an executive why one asset outranks another. And the three tuning levers, criticality, exposure, and SLA posture, give you direct, understandable control over how the ranking reflects your environment without ever touching the math. That combination of a fixed, explainable formula and well-maintained inputs is what turns a scanner’s finding pile into a worklist a team will actually trust.
For the operational side of building and maintaining the inventory that feeds these scores, including bulk import and enrichment, see the related coverage on asset inventory management. To see how scored assets flow into remediation priority and program reporting, the risk analytics and reporting pillar carries the story forward.
Frequently Asked Questions
How is an asset risk score calculated in PMAP?
The score is a severity-weighted base multiplied by an asset factor. The base sums open findings with weights of urgent 12, critical 10, high 7, medium 4, and low 1. The factor is the asset’s criticality multiplier (critical 2.0, high 1.5, medium 1.0, low 0.5), multiplied by 1.25 if the asset has any SLA breach, and multiplied by 1.20 if the asset is not internal. The final score is base times factor.
Do informational findings affect the risk score?
No. The base sum only weights urgent, critical, high, medium, and low findings. Informational findings are tracked for completeness, but they carry no weight in the score, so they do not change an asset’s ranking.
Why does the same vulnerability score differently on two assets?
Because the factor differs. A high-severity finding worth 7 in the base contributes 14 on a critical-criticality asset (factor 2.0) but only 3.5 on a low-criticality asset (factor 0.5). The SLA and exposure multipliers add further differences. The vulnerability is identical, but the asset’s importance, remediation status, and exposure change how much risk it represents.
What can I actually tune about the risk score?
You tune the three inputs, not the weights. The weights such as urgent 12 and critical 2.0 are fixed. What you control is the asset’s criticality classification, its internal versus external exposure flag, and your SLA posture, since the SLA multiplier fires automatically on breached findings. Keeping those three inputs accurate is how you make the ranking reflect your environment.
How does company risk relate to asset risk?
Company risk is rolled up from asset scores using the same formula. The per-company view reports each company’s average asset risk score and the name of its single highest-risk asset. Because both use the identical calculation, the company average reconciles with the asset scores beneath it, so dashboard numbers and the asset list always agree.
Why is the project risk score simpler than the asset score?
A project does not carry criticality, an exposure flag, or SLA timers, so there is nothing for those multipliers to act on. The project score therefore uses only the severity-weighted base, summing urgent, critical, high, medium, and low findings without any factor. It measures the weighted volume of a project’s open findings honestly, using only inputs the project actually has.
How do I see the highest-risk assets quickly?
Use the top-20 shortlist. It returns the twenty highest-scoring assets in descending order, computed from the same formula as the full ranking. It gives a team a standing worklist without scrolling thousands of rows. The full ranked list remains available for deeper analysis, audit preparation, or any case where you need to look beyond the top of the stack.
