Qualys TruRisk™ Score
The Qualys TruRisk™ score is a numerical value (0–1000) that quantifies the overall security risk of an asset by combining vulnerability severity (Qualys Detection Score - QDS), threat intelligence (exploitability, ransomware, malware), and asset criticality. It prioritizes remediation by focusing on vulnerabilities that pose the highest actual risk to the organization.
The TruRisk™ score is primarily calculated using following metrics:
- Asset Criticality Score (ACS): A value from 1 to 5 that represents the business importance of an asset. Higher scores are given to critical systems like production databases or internet-facing servers. For more information, refer to Asset Criticality Score (ACS).
- Qualys Detection Score (QDS): A score from 1 to 100 assigned to individual vulnerabilities (or QIDs). It is derived from CVSS but influenced by real-time threat indicators (RTIs), such as whether a vulnerability is being actively exploited in the wild, mentioned on the dark web, or part of the CISA KEV catalog.
- Asset Risk Score (ARS): The overall TruRisk score for an asset, ranging from 0 to 1000. It aggregates all QDS values on a specific asset and weighs them against its ACS.
For more detailed information on TruRisk™ Score, refer to VMDR Online Help.
TruRisk™ Scoring Range
TruRisk™ Score is categorized as follows based on the calculated score between 0 to 1000.
- Severe (850–1000): Critical assets with multiple high-severity, exploitable vulnerabilities.
- High (700–849): High-value assets with multiple vulnerabilities or internet exposure.
- Medium (500–699): Moderate-value assets with critical or high vulnerabilities.
- Low (0–499): Low-value assets or those with fewer, lower-risk vulnerabilities.
TruRisk™ Score in CSAM
The Inventory > Assets tab gives you asset information with the TruRisk™ score assigned to the asset.
Apart from the vulnerabilities detected, CSAM extends TruRisk by adding additional detections, including end-of-life & end-of-support (EoS) software, unauthorized software, unauthorized ports, and missing required software.
Important to Know
- CSAM Trial or Paid user with VMDR enabled
Vulnerabilities detected by VMDR, together with CSAM-specific TruRisk™ contributing factors, are used to calculate the risk contributors and generate the TruRisk™ Score.
- CSAM Trial or Paid user without VMDR enabled
The TruRisk™ Score is calculated solely based on CSAM risk-contributing factors, without vulnerability input from VMDR.
- Detection scoring
Each detection vector is assigned a Qualys Detection Score (QDS) on a standardized scale of 1–100. All CSAM detections are then aggregated to compute the overall TruRisk™ Score.
- End-of-support detection scoring
The EOS detection score is automatically calculated by correlating vulnerabilities with installed software and factoring in the duration for which the software has been unsupported.
- Unauthorized ports and software
You can define which ports and software are considered unauthorized and assign their severity.
- Port rules configuration
Use the Port Rules tab to define authorized and unauthorized ports. Once configured, QDS scores are associated with unauthorized ports and included in TruRisk™ calculations.