TruRisk™ Score in the Qualys Ecosystem

The TruRisk™ Score provides a contextual measure of cyber risk for each vulnerability and asset. It combines vulnerability severity, exploit likelihood, threat intelligence, and asset importance to help prioritize what truly matters to your organization.

The following are the steps to TruRisk™:

Within VMDR, TruRisk™ uses multiple inputs to calculate risk:

  • Vulnerability data from detections (QIDs) across your assets.
  • Threat intelligence from over 25 global sources, covering exploit activity, malware associations, ransomware use, and known threat campaigns.
  • Asset context, including criticality and exposure within your environment.

These factors are continuously evaluated to calculate a TruRisk™ Score (0–1000) that reflects both technical and business impact.
Higher scores indicate greater risk based on real-time exploitability and the importance of the affected asset.

By correlating vulnerability data with live threat indicators and asset context, TruRisk™ enables teams to prioritize vulnerabilities with the highest potential impact on business operations, thereby transitioning from traditional severity-based management to risk-based decision-making.

Interpreting Qualys TruRisk™ Scores

The following table lists the scores that can be queried individually for insights via our dedicated API endpoint. 

QDS/QVS Range Description
>95

Vulnerability Detected by Qualys with a CVSS rating of Critical, High, or Medium AND has functional exploit code available AND exploit code is actively leveraged by threat actors, malware, and ransomware groups to compromise systems AND trending in the wild, dark web.

OR

High likelihood of exploitation in the next 30 days (EPSS)

OR

Evidence of exploitation in the wild
90-95

Vulnerability Detected by Qualys with a CVSS rating of Critical, High, or Medium AND has functional exploit code available AND exploit code is actively leveraged by threat actors, malware, and ransomware groups to compromise systems.

OR

Evidence of exploitation in the wild

OR

High likelihood of exploitation in the next 30 days (EPSS)
70-89

Vulnerability Detected by Qualys with a CVSS rating of Critical, High, or Medium AND has functional exploit code available, with no evidence of exploitation.

OR

CVSS rating of Critical, High, or Medium with evidence of exploitation, and mitigation in place.
60-69 Vulnerability Detected by Qualys with a CVSS Critical rating, AND a Proof of Concept (PoC) exploit is available.
50-59 Vulnerability Detected by Qualys with a CVSS High, AND a PoC exploit is available.
40-49 Vulnerability Detected by Qualys with a CVSS Critical, High, AND no exploit available.
1-39 Vulnerability Detected by Qualys with a CVSS Critical, High, Medium, AND low risk of exploitation.

Understanding Your TruRisk™ Score

TruRisk™ Score is the overall risk score assigned to the asset based on the following contributing factors:

  • Asset Criticality Score (ACS)
  • Asset's Exposure
  • Qualys Detection Score (QDS) scores for each QID level
  • Auto-assigned weighting factor (w) for each criticality level of QIDs

The Qualys TruRisk™ Score quantifies asset risk using a comprehensive formula that combines asset criticality, vulnerability severity, and external exposure factors.

TruRisk™ Range Severity Description
850-1000  Critical Critical assets with multiple critical or high vulnerabilities
700-849  High High-value asset with multiple number of critical or high vulnerabilities or is exposed to the internet
500-699 Medium Moderate-value assets with critical or high vulnerabilities
0-499 Low Low-value asset with multiple vulnerabilities 

Core Formula Components

Basic TruRisk™ Formula Structure

TruRisk Score = ACS Score * [wc * Avg (QDS for Critical Vuln) * f (Critical vuln count) + 

wh * Avg (QDS for High Vuln) * f (High vuln count) +

wh * Avg (QDS for Medium Vuln) * f (Medium vuln count) +

wh * Avg (QDS for Low Vuln) * f (Low vuln count)] * I(External)

where,

  • ACS: Asset Criticality Score
  • w: Weighing factors fine-tuned by Qualys TruRisk™ algorithm for each severity level [critical(c), high(h), medium(m), low(l)]
  • f(): Non-linear function that increases exponentially as the number of vulnerabilities increases
  • I(External): Factor for external-facing assets or assets discoverable by Shodan, which increases the score appropriately

TruRisk™ Formula for Managed Assets

The TruRisk™ formula for managed assets considers the number of vulnerabilities; assets with greater vulnerabilities receive a higher score. The TruRisk™ formula for managed assets has the following features:

  • The weighing factor (w) is based on the severity of the vulnerability.
  • The maximum risk score is restricted to 1000.
  • The new formula lists the External Tags.
  • In case of an external asset, the entire TruRisk™ Score value is multiplied by 1.2

TruRisk Score = MIN( ACS * (wc*Avg(QDSc)*np.power(Count(QDSc), 1/100) +

wh*Avg(QDSh)*np.power(Count(QDSh), 1/100)+

wm*Avg(QDSm)*np.power(Count(QDSm), 1/100)+

wl*Avg(QDSl)*np.power(Count(QDSl), 1/100)),1000)

where,

ACS - Asset Criticality Score.

w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]

Avg(QDS) - Average of Qualys Detection Score for each severity level of QIDs

np.power - the value of np.power is constant to 0.01

For TruRisk™ Formula for unmanaged assets, see Externally Exposed Unmanaged Assets.

Alternative Formula Version

There is also another version of the TruRisk™ calculation formula for calculating the TruRisk™ Score of managed and unmanaged assets. Instead of using average values of critical, high, medium, and low detections, this formula uses the maximum detection value and detection count across these categories.

 This formula is not available by default. Contact Qualys Support if you would like to activate it for your subscription.

TruRisk™ Formula Use Case

TruRisk™ Formula

ACS * External * [(wc* Avg(QDSc) * func(count(QDSc))+ 

wh* Avg(QDSh) * func(count(QDSh))+

wm* Avg(QDSm) * func(count(QDSm))+ 

wl* Avg(QDSl) * func(count(QDSl))]

Business Impact Considerations

The TruRisk™ Score calculation uses averages of critical, high, medium, and low detections. However, using averages has inherent implications: if a lower-score detection is fixed in the critical bucket, the average score increases even though risk was actually reduced. This design ensures that the formula reflects the overall risk landscape of an asset rather than being skewed by individual vulnerability fixes.

Use Case Examples

Asset 1: Internet-Facing Asset

Asset Details

  • Asset Criticality Score: 5
  • External facing: Yes (multiplier 1.2)

Vulnerability Profile

Severity Count Average QDS
Critical 2 95
High 10 84
Medium 40 65
Low 30   31

Result: TruRisk Score = 1000

Contributing Factors

  • High Asset Criticality Score (5)
  • Average QDS scores across all severity levels
  • External asset weighing factor (1.2)

If the asset is external-facing, it is assigned a weight that is higher than that of internal assets. This increased weighting reflects its greater exposure and potential impact, as external-facing assets present significantly higher security risks if compromised.

Asset 2: Non-Internet-Facing Asset

Asset Details

  • Asset Criticality Score: 4
  • External facing: No (multiplier 1.0)

Vulnerability Profile

Severity Count Average QDS
Critical 3 95
High 0 0
Medium 50 65
Low 20 30

Result: TruRisk Score = 518

Contributing Factors

  • High Asset Criticality Score (4)
  • Average QDS scores across all severity levels
  • Internal asset weighing factor (1)

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026