Lumin Metrics

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Tenable Lumin uses several metrics to help you assess your risk.

Cyber Exposure Score (CES)
Vulnerability Priority Rating (VPR)
Asset Criticality Rating (ACR)
Asset Exposure Score (AES)
Assessment Maturity Grade
Remediation Maturity Grade
Tenable Vulnerability Indicator (TVI)

For a demonstration on Lumin metrics, see the following video:

For information about improving the accuracy of your Lumin metrics and increasing your overall vulnerability management health, see Improve Your Lumin Metrics.

Cyber Exposure Score (CES)

Tenable calculates a dynamic CES that represents exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES values indicate higher risk.

For a demonstration on how Tenable calculates your CES, see the following video:

You can view CES for different groups of assets, including:

the overall CES for your entire organization (for example, the CES displayed in the Cyber Exposure Score widget)
the tag-level CES for assets in a specific business context (for example, the CES displayed in the Cyber Exposure Score by Business Context/Tag widget).

CES Category	CES Range
High	650 to 1000
Medium	350 to 649
Low	0 to 349

To view the CES for your entire organization or for a group of assets, view the widgets on the View the Lumin Dashboard.

For more information about how long Tenable.io takes to calculate or recalculate your CES, see Lumin Data Timing.

Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

For a demonstration on VPR, see the following video:

VPR Category	VPR Range
Critical	9.0 to 10.0
High	7.0 to 8.9
Medium	4.0 to 6.9
Low	0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable.io provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable.io automatically provides new and updated VPR values daily.

Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your assets with the highest ACRs.

To view the VPR for a specific vulnerability, view vulnerabilities as described in View Vulnerabilities by Plugin.

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Note: Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.

Key Driver	Description
Age of Vuln	The number of days since the National Vulnerability Database (NVD) published the vulnerability.
CVSSv3 Impact Score	The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.
Exploit Code Maturity	The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
Product Coverage	The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
Threat Sources	A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
Threat Intensity	The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
Threat Recency	The number of days (0-180) since a threat event occurred for the vulnerability.

Threat Event Examples

Common threat events include:

An exploit of the vulnerability
A posting of the vulnerability exploit code in a public repository
A discussion of the vulnerability in mainstream media
Security research about the vulnerability
A discussion of the vulnerability on social media channels
A discussion of the vulnerability on the dark web and underground
A discussion of the vulnerability on hacker forums

Asset Criticality Rating (ACR)

Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.

ACR Category	ACR Range
Critical	9 to 10
High	7 to 8
Medium	4 to 6
Low	1 to 3

Because Tenable.io calculates ACR values every 24 hours, you may need to wait up to 24 hours to view the ACR after scanning the asset on your network.

Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if necessary. You can customize ACR values to reflect the unique infrastructure or needs of your organization, as described in Edit an ACR.

If an asset receives multiple ACR values, Tenable.io prioritizes the values in the following order:

If set, the manually overridden ACR value.
The Tenable-provided ACR value.

To view the ACR for a specific asset, view the asset details as described in View Legacy Workbench Asset Details.

ACR Key Drivers

Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.

Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global threat landscape associated with the asset's characteristics.

Note: Running unauthenticated scans may result in limited or incomplete ACR key drivers.

Key Driver	Description
device_type	The device type. For example: hypervisor — The device is a Type-1 hypervisor that hosts a virtual machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen). printer — The device is a networked printer or a printing server.
device_capability	The device's business purpose. For example: file_server — The device is a server that provides file sharing services (e.g., an FTP, SMB, NFS, or NAS server). mail_server — The device is a server designated for sending and receiving emails.
internet_exposure	The device's location on your network and proximity to the internet. For example: internal — The device is located within your local area network (LAN), possibly behind a firewall. external — The device is located outside your LAN and not behind a firewall.

Key Driver

Description

device_type

The device type. For example:

hypervisor — The device is a Type-1 hypervisor that hosts a virtual machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen).
printer — The device is a networked printer or a printing server.

device_capability

The device's business purpose. For example:

file_server — The device is a server that provides file sharing services (e.g., an FTP, SMB, NFS, or NAS server).
mail_server — The device is a server designated for sending and receiving emails.

internet_exposure

The device's location on your network and proximity to the internet. For example:

internal — The device is located within your local area network (LAN), possibly behind a firewall.
external — The device is located outside your LAN and not behind a firewall.

Asset Exposure Score (AES)

Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs associated with the asset.

AES Category	AES Range
High	650 to 1000
Medium	350 to 649
Low	0 to 349

To view the AES for a specific asset, see View Legacy Workbench Assets.

Assessment Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to data migration and algorithm changes within Lumin. This is expected behavior. For more information, contact your Tenable representative.

Assessment Maturity provides a high-level summary of how effectively you are scanning for vulnerabilities on your licensed assets. Tenable calculates a dynamic Assessment Maturity grade that represents your assessment scanning health as a letter grade between A and F. An A grade indicates you are assessing your assets frequently and thoroughly.

Tenable provides an Assessment Maturity grade the first time you scan. Then, Tenable.io automatically provides an updated Assessment Maturity grade daily.

Assessment Maturity Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

How is my Assessment Maturity calculated?

For asset scores:
- Scan Frequency score — How often the asset was scanned within the last 90 days
- Scan Depth score — Whether or not the asset was in an authenticated scan within the last 90 days
- Assessment Maturity score — A calculation of (Scan Frequency score + Scan Depth score) / 2
For a container/business context score:
- Scan Frequency score — the average of the asset Scan Frequency scores
- Scan Depth score — the average of the asset Scan Depth scores
- Assessment Maturity score — the average of the asset Assessment Maturity scores

Scan Depth Score

A high depth grade indicates you are running authenticated scans on these assets.

Depth Grade Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

Scan Frequency Score

Tenable calculates your frequency grade based on how often you scan assets on your network. A high frequency grade indicates you are scanning your assets often.

Frequency Grade Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

To view your Assessment Maturity grade, depth grade, and frequency grade, see View Assessment Maturity Details.

For more information about how long Tenable.io takes to calculate or recalculate your Assessment Maturity grade, see Lumin Data Timing.

Remediation Maturity Grade

Remediation Maturity provides a high-level summary of how effectively you are remediating vulnerabilities on your licensed assets. Tenable calculates a dynamic Remediation Maturity grade that represents your remediation health as a letter grade between A and F. An A grade indicates you are remediating the vulnerabilities on your assets quickly and thoroughly.

Remediation Maturity Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

Your Remediation Maturity grade is the combination of your Remediation Maturityremediation responsiveness grade and your Remediation Maturityremediation coverage grade.

Tenable provides a Remediation Maturity grade the first time you remediate a vulnerability. Then, Lumin automatically provides an updated Remediation Maturity grade daily.

Remediation Responsiveness Grade

Tenable calculates your remediation responsiveness grade based on how long it takes you to remediate a vulnerability after it is first discovered (the First Seen date).

A high remediation responsiveness grade indicates you are quickly remediating the vulnerabilities on your assets.

Remediation Responsiveness Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

Remediation Coverage Grade

Tenable calculates your remediation coverage grade based on the percentage of remediated vulnerabilities on your assets.

A high remediation coverage grade indicates you are remediating a high percentage of the vulnerabilities on your assets.

Remediation Coverage Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

To view your Remediation Maturity grade, remediation responsiveness grade, and remediation coverage grade, see View Remediation Maturity Details.

For more information about how long Lumin takes to calculate or recalculate your Remediation Maturity grade, see Lumin Data Timing.

Tenable Vulnerability Indicator (TVI)

Tenable assigns a TVI (TVI-####-#####) to all unique, publicly disclosed vulnerabilities to uniquely identify an individual vulnerability on your network.

Vulnerabilities With TVIs	Vulnerabilities Without TVIs
Vulnerabilities that are CVE-published Vulnerabilities that are not CVE-published Vulnerabilities that are covered by Tenable plugins Vulnerabilities that are not covered by Tenable plugins	General security weaknesses (e.g., unsupported software) Vulnerabilities within your in-house, custom applications

Tip: Tenable.io identifies a vulnerability by CVE, if available. If no CVE is available, Tenable.io displays the TVI. If no TVI is available, Tenable.io displays the plugin ID.