Platform Level TruRisk™ v2 Formula for Tags and Business Entities
Qualys TruRisk Score for assets is calculated based on the Asset Criticality Score (ACS) and Qualys Detection Score (QDS) assigned to all findings (vulnerabilities and misconfigurations) from Qualys and third-party data sources.
Qualys has introduced this approach to prioritize vulnerabilities, misconfigurations, assets, and groups of assets based on the actual risk, they pose to the organization. This allows you to focus on critical vulnerabilities, misconfigurations, assets, or groups of assets for priority remediation, resulting in maximum risk reduction to the business. The TruRisk Score considers multiple factors. We have TruRisk Score on platform level too. Following section describes the two TruRisk formula being offered.
- TruRisk v1 Formula (Average-based Tag-Level Risk Scoring)
- TruRisk v2 Formula ( Risk based Tag-Level Risk Scoring
TruRisk v1 Formula ( Average-based Tag-Level Risk Scoring)
The TruRisk Score is a core metric used to measure the overall risk posture of assets grouped under a specific tag. In the v1 scoring model, the score is calculated using an average-based formula that takes into account the TruRisk Scores of all assets under one tag.
This method offers a simple way to aggregate asset-level scores into a tag-level score, but in some scenarios, it may not accurately represent the true risk level, especially when critical and low-risk assets are mixed.
Key Principle TruRisk Formula v1
The following are the basis of the formula
- Simplicity
Easy to calculate and understand.
- Uniform Weighting
All assets contribute equally to the final score, regardless of their severity.
- No Risk Bias
The formula does not prioritize higher-risk assets over lower-risk ones.
TruRisk Formula v1
The v1 tag-level score is calculated as:
Tag TruRisk =∑(Asset TruRisk)/Number of Assets
Where:
Asset TruRisk: TruRisk score assigned to an individual asset based on its vulnerabilities and misconfigurations
Number of Assets: Total assets under the tag
Example Calculation
Let us say we have a Business Entity (BE) tag containing three assets:
Asset 1 TruRisk: 1000, Asset 2 TruRisk: 400, Asset 3 TruRisk: 100
Step 1: Sum the TruRisk scores of all assets in the tag
Total TruRisk=1000+400+100=1500
Step 2: Divide the total by the number of assets (3) to get the average TruRisk score for the tag
TruRisk= 1500/3 = 500
The TruRisk is 500.
Limitations of TruRisk Formula v1
The average-based method is simple, but it comes with some important problems:
- Risk Dilution
A few critical assets can be outweighed by a large number of low-risk assets, lowering the overall score.
Example: A tag with 10 critical assets and 100 low-risk assets can still show a medium or low score.
- Counterintuitive Score Changes
Adding a high-risk asset may lower the score if more low-risk assets exist in the tag.
Fixing a minor issue can sometimes increase the score.
- False Sense of Security
The score may under-represent actual exposure, leading to misplaced confidence.
- Limited Explainability
It’s not always clear to stakeholders why the score changes, as all assets are treated equally.
When to Use TruRisk Formula v1
The v1 formula works well for:
- Simple reporting needs where equal weighting across assets is acceptable.
- Environments with uniform asset risk distribution.
- Preliminary scoring before applying advanced weighting or risk-sensitive methods.
Transition to TruRisk Formula v2
To address the limitations of v1, Qualys has introduced TruRisk v2, a more risk-aware and transparent scoring model that gives greater weight to critical assets and ensures score changes align with changes in actual risk.
Refer to the TruRisk v2 Formula document for details on the new methodology.
TruRisk v2 Formula (Risk-Aware Tag-Level Risk Scoring)
The TruRisk v2 scoring model is designed to address the limitations of the v1 (average-based) approach.
Unlike v1, which treats all assets equally, v2 is risk-aware, giving more weight to high-risk assets so that the overall score reflects actual exposure more accurately.
With v2, any change in asset risk, whether it rises or falls, has a direct influence on the tag-level score in a consistent and understandable way.
Key Principle TruRisk Formula v2
While the exact mathematical formula is proprietary, the TruRisk Formula v2 model follows these principles:
- Risk Sensitivity
Adding any risk element increases the score, however small.
Fixing any risk element decreases the score, however small.
- Weighted Impact
Critical and high-risk assets have a greater influence on the score than medium- or low-risk assets.
A tag containing a few critical assets and many low-risk assets will still show a high score, reflecting actual exposure.
- Explainability
The score changes are intuitive and can be traced back to specific risk additions or mitigation
When to Use TruRisk Formula v2
The TruRisk Formula v2 is ideal for:
- Environments with mixed-risk assets where critical risks must be clearly highlighted.
- Organizations that need accurate, explainable, and risk-sensitive scoring.
- Executive reporting where true exposure visibility is critical for decision-making.
The TruRisk v2 formula is available on request. Contact Qualys Support to enable this feature for your subscription.
TruRisk Formula v2
The formula to calculate
TruRisk = [ MaxARS x g(MaxARS)] + [(numCriticalARS x WtCritical + [numHighARS x WtHigh] + [numMediumARS x WtMed] + [numLowARS x WtLow]
Where
- MaxARS: Highest Asset risk score in scope
- numCriticalARS: Number of critical ARS in scope (range 850 - 1000)
- numHighARS: Number of high ARS in scope (range 700 - 849)
- numMediumARS: number of medium ARS in scope (range 500 - 699)
- numLowARS: Number of low ARS in scope (range 0 - 499)
-
The g values and weights have default settings, but they can be customized for the user.
| ARS | g(MaxARS) |
|---|---|
| 850 - 1000 | 0.9 |
| 700 - 849 | 0.8 |
| 0 - 699 | 0.7 |
The following table displays severity and weight
| Severity | Weight |
|---|---|
| Critical |
80 % |
| High | 15 % |
| Medium | 3 % |
| Low | 2 % |
Example Calculation
We have a tag with several assets, and we want to calculate its TruRisk score using the new Max ARS + Weighted Contributions formula.
If a tag has 10s of critical assets(850) and 100s of low-risk (400) assets.
Step 1: Calculate Base Score
-
Max ARS (highest Asset Risk Score in the tag) = 850 -
g(Max ARS) (scaling factor based on range 850–1000) = 0.9 -
Base Score = Max ARS × g(Max ARS) =850 x 0.9 = 765
Step 2: Calculate Weighted Sum of Asset Counts
-
Number of Critical Assets = 10 > Weight = 0.8 -
Number of Low-Risk Assets = 100 >Weight 0.02 -
Weighted Sum = (10×0.8)+(100×0.02)=8+2=10
Step 3: Final TruRisk Score
Final Score = Base Score + Weighted Sum = 765+10=775
The TruRisk score for this tag = 775
Comparison: TruRisk Formula v1 vs TruRisk Formula v2
The TruRisk Score is a unified metric that helps organizations understand their security risk posture at the tag level.
Over time, we have evolved our scoring methodology to provide a more accurate, risk-aware, and explainable measure of exposure.
This section compares the current v1 formula and the new v2 formula so you can understand the benefits of migrating.
| Aspect | TruRisk v1 (Average-Based) | TruRisk v2 (Risk-Aware) |
|---|---|---|
| Scoring Method | Simple average of asset scores within a tag | Weighted by asset severity (critical assets influence score more) |
| Risk Sensitivity | Score may not change intuitively when adding/fixing assets | Every risk addition increases score; every fix decreases score |
| Risk Visibility | Critical assets can be diluted by large volumes of low-risk assets | Critical risks remain prominent regardless of low-risk asset volume |
| Explainability | Basic; may give a false sense of security | Clear cause-effect relationship between asset changes and score |
If a tag contains 10 critical assets (each with a score of 850) and 100 low-risk assets (each with a score of 400), the v1 formula calculates the score as:
v1 Score = ((850 × 10) + (400 × 100)) / 110 = (8,500 + 40,000) / 110 = 48,500 / 110 = 440.91 ≈ 440
Result TruRisk Formula v1: 440
However, using the TruRisk Formula v2 for the same data, the calculated score is 775.
The following table demonstrates couple of use cases carried out for the formula TruRisk Formula v1 and TruRisk Formula v2
|
maxARS |
numCritical |
numHigh |
numMedium |
numLow |
No of assets |
gMaxARS |
v1 TruRiskScore |
v2 TruRiskScore |
|---|---|---|---|---|---|---|---|---|
|
656 |
25 |
9 |
108 |
17 |
17 |
0.7 |
485 |
220 |
|
528 |
214 |
73 |
989 |
325 |
176 |
0.7 |
588 |
141 |
|
504 |
11 |
21 |
185 |
459 |
10 |
0.7 |
380 |
324 |
|
652 |
104 |
1069 |
4340 |
2542 |
8 |
0.7 |
881 |
550 |
|
795 |
59 |
178 |
3530 |
3811 |
7 |
0.8 |
893 |
600 |
|
1000 |
866 |
592 |
2760 |
11325 |
4 |
0.9 |
1991 |
868 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
504 |
7 |
18 |
142 |
414 |
5 |
0.7 |
374 |
301 |
|
787 |
52 |
53 |
1567 |
3624 |
1 |
0.8 |
799 |
787 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |
|
787 |
53 |
56 |
1571 |
3626 |
2 |
0.8 |
801 |
687 |