Recently Viewed Topics
Tenable Lumin uses several metrics to help you assess your Cyber Exposure risk.
- Cyber Exposure Score (CES)
- Vulnerability Priority Rating (VPR)
- Asset Criticality Rating (ACR)
- Asset Exposure Score (AES)
- Tenable Vulnerability Indicator (TVI)
Tenable calculates a dynamic CES that represents Cyber Exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES values indicate higher risk.
You can view CES for different groups of assets, including:
- the CES for your entire organization (e.g., the CES displayed in the Cyber Exposure Score widget)
- the CES for assets in a specific business context (e.g., the CES displayed in the Cyber Exposure Score by Business Context widget).
To view the CES for your entire organization or tag-specific CES values, view the widgets on the View the Lumin Dashboard.
Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the static data provided by the vulnerability's CVSS score and severity, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.
|VPR Category||VPR Range|
9.0 to 10.0
|High||7.0 to 8.9|
|Medium||4.0 to 6.9|
0.1 to 3.9
Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (e.g., many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.
Note: You cannot edit VPR values.
Tenable.io provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable.io automatically provides new and updated VPR values daily.
Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your assets with the highest ACRs.
To view the VPR for a specific vulnerability, view vulnerabilities as described in View All Vulnerabilities in Lumin.
Tenable uses the following key drivers to calculate a vulnerability's VPR.
Note: Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.
|Age of Vuln||
The number of days since the National Vulnerability Database (NVD) published the vulnerability.
|CVSSv3 Impact Score||
The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.
|Exploit Code Maturity||
The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
The number of days (0-730) since a threat event occurred for the vulnerability.
Common threat events include:
- An exploit of the vulnerability
- A posting of the vulnerability exploit code in a public repository
- A discussion of the vulnerability in mainstream media
- Security research about the vulnerability
- A discussion of the vulnerability on social media channels
- A discussion of the vulnerability on the dark web and underground
- A discussion of the vulnerability on hacker forums
Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.
Tenable provides an ACR value the first time you scan an asset on your network. Then, Tenable automatically provides new and updated ACR values daily.
Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if necessary. You can customize ACR values to reflect the unique infrastructure or needs of your organization, as described in Edit an ACR.
To view the ACR for a specific asset, view the asset details as described in View Asset Details.
Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.
Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global threat landscape associated with the asset's characteristics.
The device type. For example:
The device's business purpose. For example:
The device's location on your network and proximity to the internet. For example:
Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.
Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs associated with the asset.
Tenable assigns a TVI (TVI-####-#####) to all unique, publicly disclosed vulnerabilities to uniquely identify an individual vulnerability on your network.
|Vulnerabilities With TVIs||Vulnerabilities Without TVIs|
Tip: Tenable.io identifies a vulnerability by CVE, if available. If no CVE is available, Tenable.io displays the TVI. If no TVI is available, Tenable.io displays the plugin ID.
To view the TVI for a specific vulnerability, view the vulnerability details as described in View Vulnerability Details.