Learn more about the TruRisk score for managed, unmanaged, and externally exposed unmanaged assets. The TruRisk score helps you prioritize the assets you should consider for VMDR activation.
The TruRisk score for assets is calculated based on the Asset Criticality Score (ACS), Qualys Detection Score (QDS) assigned to vulnerabilities, open ports, EOS software, Missing Required Software, and Unauthorized Software.
Complete the following steps to see the TruRisk formula and other required details. For the example purpose, the managed assets are considered.
1. Go to the Inventory tab and click Managed.
Note: Turn the CSAM EASM toggle to view EASM or CSAM assets as per your requirement.
2. Click the info icon from the TruRisk SCORE column. For more information, see
The TruRisk Score for the EASM assets is calculated based on Asset Criticality Score (ACS), Qualys Vulnerability Score (QVS), Qualys Detection Score (QDS) assigned to open ports, EOS software, Missing Required Software, and Unauthorized Software.
Note:
- The TruRisk Score for externally exposed unmanaged assets is weighted 20% more than the managed assets.
- The QVS is calculated based on vulnerabilities that are reported by Shodan.
Complete the following steps to see the TruRisk formula and other required details:
1. Go to the Inventory tab, turn the CSAM EASM toggle to view EASM assets, and click Unmanaged assets.
2. Click the info icon from the TruRisk SCORE column.
Learn more about the TruRisk score formula for assets and its contributing factors.
What is TruRisk Score?
This is the overall risk score assigned to the asset based on the following contributing factors:
a. Asset Criticality Score (ACS)
b. Risk (QDS) scores for each severity level (Critical [C], High [H], Medium [M], Low [L])
c. Auto assigned weighing factor (w) for each severity level of QIDs
Formula to calculate the TruRisk Score:
TruRisk Score = MIN( ACS * (wc* Avg(QDSc) * np.power(Count(QDSc), 1/100) + wh* Avg(QDSh) * np.power(Count(QDSh), 1/100) + wm* Avg(QDSm) * np.power(Count(QDSm), 1/100) + wl* Avg(QDSl) * np.power(Count(QDSl), 1/100) ), 1000)
Where, w - weighing factor for each severity level of QIDs
Avg(QDS) - Average of Qualys detection score for each severity level of QIDs
If an asset doesn't have a critical vulnerability, the next available QDS will be used to calculate the TruRisk Score.
For more information, see Calculating TruRisk Score.