Background

To assess the security posture of your cloud environments, Plerion applies a scoring system that evaluates each asset and its associated findings. The result is a Plerion Risk Score (PRS): a numerical value that reflects the severity of risks, helping teams prioritize remediation. PRS is calculated by Plerion’s risk engine, which combines likelihood, impact, asset context, and modifiers. Unlike CVE or CVSS scores, which assume worst-case scenarios, PRS incorporates asset-specific context for higher fidelity.

Key terms

  • Risk: A potential adverse event, derived from both its likelihood of occurring and the impact if it does.
  • Risk description: A detailed explanation of a potential risk.
    Example: A system compromise due to exploitation of Amazon EC2 instance with remote code execution vulnerability
  • Finding: A technical description of an asset condition discovered during evaluation.
    Example: Publicly accessible Amazon S3 bucket
  • Check: A condition tested against an asset to identify potential risks.
    Example: Identify publicly accessible Amazon S3 buckets
  • Control: A condition assets must meet to mitigate risks.
    Example: Ensure Amazon S3 buckets are not publicly accessible
  • Likelihood: The probability of a risk being realized, score from 1 (rare) to 5 (almost certain).
    Example: Likelihood of a publicly accessible Amazon S3 bucket = 4
  • Impact: The consequence of a realized risk, scored from 1 (insignificant) to 5 (severe).
    Example: Impact of a publicly accessible RDS server = 4
  • Risk score: A calculated value (0–10, up to two decimal places) representing overall asset risk. For workloads, vulnerabilities are also included.
PRS adjusts baseline impact and likelihood values with asset-specific modifiers, making it different from CVSS or CVE scores.
  • Risk rating: A severity category based on likelihood and impact: None, Low, Medium, High, Critical.
Risk Rating by Impact and Likelihood
  • Modifier attributes: Asset context that adjusts impact, likelihood, or both.
    Example: is publicly exposed, has overly permissive privileges
  • Modifier value: The numeric adjustment applied to baseline likelihood or impact when modifiers are present.
    Example: If has overly permissive privileges has +2 to likelihood, an asset with this attribute will calculate at a higher severity level

Further reading