Calculating TruRisk Score
The calculation of the TruRisk Score involves various parameters, such as Asset Criticality, Qualys Detection Score (QDS), and Qualys Vulnerability Score (QVS). This section explains how these various parameters calculate the TruRisk Score.
Asset Risk Score is renamed to TruRisk Score.
The TruRisk Score calculation also applies to the Qualys CSAM application.
Understanding Asset Criticality Score
It is calculated based on multiple tags assigned to the asset with defined Asset Criticality Scores (ACS). If multiple tags are assigned to the asset, the highest score is considered for the ACS.
For example, if you assign six tags to your asset, the tag with the highest value between 1 and 5 will be considered the contributing factor when calculating the TruRisk Score.
For more information about configuring tags, refer to Configure Tags
The criticality score used for risk calculation may differ from the one assigned to the asset, as the risk criticality score is assigned to the asset after the risk score has been calculated.
Understanding the Qualys Detection Score
The Qualys Detection Score (QDS) is assigned to vulnerabilities Qualys detected and assessed at each Qualys Vulnerability Detection Signature (QID) level. You can prioritize your vulnerabilities based on the QDS. QDS has a range from 1 to 100 and with four severity levels:
- Critical: 90-100
- High: 70-89
- Medium: 40-69
- Low: 1-39
QDS is derived from the following factors:
- Vulnerability technical details (CVSS score): The highest Qualys Vulnerability Score (QVS) for CVEs is associated with the QID. QDS selects the highest QVS of all the CVEs related to that QID.
- Vulnerability temporal details: QDS monitors external threat intelligence details for a vulnerability and collects data like Exploit Code Maturity (ECM), malware, active threat actors, and whether a threat is trending. It accounts for any compensating/mitigation controls applied to an asset to reduce the risk score for a given vulnerability. For example, QDS will reduce the risk of a Remote Desktop Protocol (RDP) vulnerability if RDP is disabled.
We recommend prioritizing vulnerabilities with a TruRisk-QDS score of 70 or higher.
The following table lists the QDS Range along with its description:
| QVS Range | CVSS Category | Description |
| >=95 | Critical | Exploited in the wild, has a weaponized exploit available, and is a trending risk on social media and the dark web. |
| 90-95 | Critical | Weaponized exploits are available, and there is evidence of exploitation by malware, threat actors, and ransomware groups. |
| 80-89 | Critical | Weaponized exploits are available, but there is no evidence of exploitation. |
| 70-79 | High | Weaponized exploits are available, but there is no evidence of exploitation. |
| 60-69 | Critical | No exploits are available. |
| 50-60 | High | A Proof of Concept (PoC) exploit is available. |
| 40-50 | High | No exploits are available. |
| 30-39 | Medium | A Proof of Concept (PoC) exploit is available. |
| 1-30 | Low | Low risk of exploitation. |
If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation.
Understanding the Qualys Vulnerability Score for CVEs
Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more. It is also computed for vulnerabilities that don’t have Qualys vulnerability detection signatures (QIDs). For the QIDs with no published CVEs or low QDS, QVS will be calculated based on the Real-time Threat Indicators (RTIs) such as Zero-day, Active Attacks, Ransomware, and Wormable.
There are two approaches to how vulnerabilities are queried and displayed. One is aligned with Qualys Identifier (QID) and the other with industry standards (CVE). This allows you to utilize QID and CVE-based data for more effective risk analysis and decision-making. Learn more here: Understanding Old and New Vulnerability Queries.
These QVS scores can be individually queried for insights from our dedicated API endpoint.
Understanding TruRisk Score
TruRisk Score is the overall risk score assigned to the asset based on the following contributing factors:
- Asset Criticality Score (ACS)
- Qualys Detection Score (QDS) scores for each QID level
- Auto-assigned weighting factor (w) for each criticality level of QIDs
TruRisk Formula for Managed Asset
The TruRisk formula for managed assets includes the number of vulnerabilities; the asset with greater vulnerabilities gets a higher score. The TruRisk formula for managed assets has the following features:
- The weighing factor (w) is based on the severity of the vulnerability.
- The maximum risk score is restricted to 1000.
- The new formula lists the External Tags.
- In case of an external asset, the entire TruRisk Score value is multiplied by 1.2
|
|
where,
ACS - Asset Criticality Score.
w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]
Avg(QDS) - Average of Qualys Detection Score for each severity level of QIDs
np.power - the value of np.power is constant to 0.01
TruRisk Formula for Externally Exposed Unmanaged Assets
|
|
where,
ACS - Asset Criticality Score.
w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]
Avg(QVS) - Average of Qualys Vulnerability Score for each severity level of QVS
np.power - the value of np.power is constant to 0.01
Click on the risk score for a particular asset to view the detailed calculation.