Skip to main content
Plerion uses the Plerion Risk Calculator (PRC) to generate the asset risk score: a numerical value assigned to each asset based on its findings, vulnerabilities, and context.

Implementation overview

The following factors contribute to an asset risk score:
  • Public exposure
  • Asset contexts
  • Findings algorithm
  • Vulnerability algorithm (workload assets only)

Factors in asset risk score calculation

Asset contexts

The PRC considers asset-specific contexts when calculating the asst risk scores. List of asset contexts:
  • Publicly exposed
  • Admin privileges
  • Overly permissive privileges
  • Cross-account access
  • Exploit exists
  • Exploited vulnerability
  • Susceptible to privilege escalation
Not all contexts apply to all resource types. For example, an S3 bucket may only use “Publicly exposed” and “Cross-account access.”

Findings algorithm

The findings algorithm calculates an asset score between 0–10 using a banding system. The score begins in the band of the highest severity level among failed findings, then adjusts based on the ratio of failed to passed and missing findings, ensuring it stays within the correct band. To avoid double-counting, findings already represented by public exposure or other asset contexts are excluded from this stage of the calculation. This ensures the final score reflects only additional, unaccounted risks. Severity bands:
  • Low: 1–<3
  • Medium: 3–<7
  • High: 7–<9
  • Critical: 9–10
Process:
  1. Identify the highest severity band: The algorithm begins by determining the highest severity band among the failed findings.
  2. Handle edge cases: If the asset has only failed findings (with no passed or missing findings), the score is placed just below the start of the next highest band. This prevents the score from jumping too far beyond its current band.
  3. Calculate the failure ratio: The failure ratio is determined by dividing the number of failed findings by the total number of findings (failed + passed + unknown).
  4. Apply normalization factor: A normalization factor, specific to the highest severity band, is applied to scale the score within that band’s range.
  5. Compute the risk score: The risk score is then calculated as
    highest severity band + (failure ratio × 10 × normalization factor)
  6. Cap the risk score: The final score is capped at a maximum of 10.
Example: An S3 bucket with failed severities Critical, High and passed severities Low, Medium will start at band 9 (Critical). Adjustments from the failure ratio and normalization result in a final asset risk score close to 9.8.

Vulnerability algorithm

The vulnerability algorithm calculates a score between 0–10 for workload assets, starting from the band of the highest vulnerability severity. Severity bands:
  • Low: 1–<3
  • Medium: 3–<7
  • High: 7–<9
  • Critical: 9–10
Severity limits:
  • Low: 4000
  • Medium: 2000
  • High: 500
  • Critical: 100
Process
  1. Identify the highest severity: The algorithm begins by determining the highest severity level present among the vulnerabilities.
  2. Start from the highest band: The initial score is set at the band corresponding to that severity. Example: If the highest severity is Critical, the starting point is band 9.
  3. Calculate remaining band range: The available range for score increases is determined by subtracting the current band from the next highest band. Example: If starting from band 9, the range to 10 is 1.
  4. Evaluate lower severity levels: Vulnerabilities in High, Medium, and Low categories are then assessed. Their contributions are based on the ratio of vulnerabilities to the severity limit, weighted by the remaining band range.
  5. Aggregate contributions: Contributions from lower severity levels are progressively added to the score. Critical vulnerabilities contribute the most, followed by High, Medium, and Low.
  6. Cap the score: The score is capped at a maximum of 10 to ensure it remains within a standardized range.
Example: For an EC2 instance with 5 Critical, 25 High, and 100 Medium vulnerabilities:
  • Highest severity: Critical, so start at band 9
  • Remaining band range: 1 (10 − 9)
  • Critical contribution: 5/100 = 0.05 → 9 + 0.05 = 9.05
  • High contribution: 25/500 = 0.05 → 9.05 + (0.05 ÷ 2) = 9.075
  • Medium contribution: 100/2000 = 0.05 → 9.075 + (0.05 ÷ 4) = 9.0875
Final risk score: ~9.09

Risk score calculation process

  1. Public exposure check:
  • Add 3 points if the asset is publicly exposed.
  1. Asset contexts evaluation:
  • Determine applicable contexts for the resource type.
  • Weight each context by importance.
  • Maximum contribution capped at 3 points.
  1. Findings and vulnerabilities:
  • Non-workload assets: based only on findings
  • Workload assets:
    • No vulnerability scan → findings only
    • Vulnerability scan with no findings → 50% findings score
    • Vulnerability scan with results → weighted combination:
      • 30% findings + 70% vulnerabilities (if both exist).
      • 100% vulnerabilities (if only context-related findings exist).
  1. Final score:
  • Sum all contributions (public exposure + contexts + findings/vulnerabilities).
  • Ensure the result stays within the 0–10 range.

The following examples illustrate how an asset risk score is calculated. These examples show how different factors—public exposure, asset contexts, findings, and vulnerabilities—combine to produce the overall asset risk score for both non-workload and workload assets.
An SNS Topic with the following characteristics:
  • Publicly exposed
  • Applicable asset contexts: “Cross account access” (weight: 2) and “Admin privileges” (weight: 1); only “Cross account access” applies
  • Findings: 1 Critical, 2 High, 1 Medium
Calculation:
  1. Public exposure = 3 points
  2. Asset contexts:
    • Max score for SNS Topic = 3
    • Score = (2 ÷ (2 + 1)) × 3 = 2 points
  3. Findings:
    • Findings algorithm = 8.5 / 10
    • Remaining max score = 10 − 3 − 3 = 4
    • Findings score = (8.5 ÷ 10) × 4 = 3.4 points
  4. Final asset risk score = 3 + 2 + 3.4 = 8.4
An SQS Queue with the following characteristics:
  • Publicly exposed
  • Applicable asset context: “Cross account access” (weight: 1)
  • Findings: 1 Critical, 2 High, 1 Medium
Calculation:
  1. Public exposure = 3 points
  2. Asset contexts:
    • Max score for SQS Queue = 1
    • Score = (1 ÷ 1) × 1 = 1 point
  3. Findings:
    • Findings algorithm = 7 / 10
    • Remaining max score = 10 − 3 − 1 = 6
    • Findings score = (7 ÷ 10) × 6 = 4.2 points
  4. Final asset risk score = 3 + 1 + 4.2 = 8.2
An EC2 instance with the following characteristics:
  • Not publicly exposed
  • Applicable asset contexts: “Admin privileges” (weight: 2), “Exploit exists” (1), “Exploited vulnerability” (1); only “Admin privileges” applies
  • Findings: 2 High, 3 Medium
  • Vulnerabilities: 1 Critical, 3 High
Calculation:
  1. Public exposure = 0 points
  2. Asset contexts:
    • Max score for EC2 = 3
    • Score = (2 ÷ (2 + 1 + 1)) × 3 = 1.5 points
  3. Findings and vulnerabilities:
    • Findings algorithm = 7.0 / 10
    • Vulnerability algorithm = 8.5 / 10
    • Remaining max score = 10 − 3 − 3 = 4
    • Combined score = ((0.3 × 7.0) + (0.7 × 8.5)) × (4 ÷ 10) = 3.22 points
  4. Final asset risk score = 0 + 1.5 + 3.22 = 4.72

Depiction

Explanation Diagram
I