Tenable Exposure Management Metrics
The following metrics are used to assess data within Tenable Exposure Management:
Data Timing
Data within Tenable Exposure Management refreshes on the following cadence:
-
Asset Data — Asset information is updated every time the asset is seen as part of a scan.
-
Tag Application — When a tag is first created, it can take several hours to assign the tag to the appropriate asset, depending on the number of assets and the tag's rules.
-
Tag Reevaluation — Every 12 hours, Tenable Exposure Management automatically reevaluates tags to ensure they apply to newly discovered assets, and are removed from any inactive assets.
-
Tenable Cloud Security data — Tenable Exposure Management automatically refreshes Tenable Cloud Security data every 24 hours.
Cyber Exposure Score (CES)
Tenable Exposure Management calculates a dynamic CES that represents exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets. Higher CES values indicate higher risk.
Note: Tenable Exposure Management does not include assets older than 90 days in your CES.
| CES Category | CES Range |
|---|---|
| High | 650 to 1000 |
| Medium | 350 to 649 |
| Low |
0 to 349 |
Asset Exposure Score (AES)
Tenable Exposure Management calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.
Note: Tenable Exposure Management does not calculate an AES for unlicensed assets.
| AES Category | AES Range |
|---|---|
| High | 650 to 1000 |
| Medium | 350 to 649 |
| Low |
0 to 349 |
Asset Criticality Rating (ACR)
Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.
| ACR Category | ACR Range |
|---|---|
| Critical |
9 to 10 |
| High | 7 to 8 |
| Medium | 4 to 6 |
| Low |
1 to 3 |
Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.
| VPR Category | VPR Range |
|---|---|
| Critical |
9.0 to 10.0 |
| High | 7.0 to 8.9 |
| Medium | 4.0 to 6.9 |
| Low |
0.1 to 3.9 |
Note: Vulnerabilities without CVEs (for example, many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.
Exposure Categories
Tenable Exposure Management products refer to data sources as Exposure Categories. Tenable Exposure Management uses specific icons to represent these within the user interface.
| Exposure Category | Icon |
|---|---|
| Vulnerability Management |
|
|
Web Applications |
|
|
Identity Exposure |
|
|
Operational Technologies |
|
| Cloud Security |
|
Scoring Caveats within Tenable Exposure Management
The weakness counts and severities within the Asset Details tab and other areas within the Tenable Exposure Management user interface may not match because each segment counts instances differently:
For Tenable Vulnerability Management assets:
-
Weakness counts: Are distinct CVE counts
-
Exposure score counts: Distinct (plugin ID, CVE ID) counts to allow for recasted plugins to affect exposure scores
For Tenable Web App Scanning assets:
-
Weakness counts: Number of distinct CVEs + distinct plugins where the plugin has no CVEs but has a VPR
-
Exposure score counts: Distinct plugin ID counts with VPR > 0. This is to account for plugin ID vulnerabilities with no CVE and to allow for recasted plugins to affect exposure scores
For Tenable Identity Exposure assets:
-
Weakness counts: Distinct IoEs observed directly on the asset
-
Exposure score counts: Includes IoEs observed directly on the asset plus those inherited from related assets to account for inherited IoEs in exposure scores
For Tenable Cloud Security assets:
-
Weakness counts: Cloud Security misconfigurations plus any CVEs found on the asset
-
Exposure score counts: Only Cloud Security misconfigurations are counted for exposure scores.