Recently Viewed Topics
Tenable Lumin uses several metrics to help you assess your Cyber Exposure risk.
- Cyber Exposure Score (CES)
- Vulnerability Priority Rating (VPR)
- Asset Criticality Rating (ACR)
- Asset Exposure Score (AES)
- Assessment Maturity Grade
- Tenable Vulnerability Indicator (TVI)
Tenable calculates a dynamic CES that represents Cyber Exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES values indicate higher risk.
You can view CES for different groups of assets, including:
- the CES for your entire organization (e.g., the CES displayed in the Cyber Exposure Score widget)
- the CES for assets in a specific business context (e.g., the CES displayed in the Cyber Exposure Score by Business Context widget).
To view the CES for your entire organization or for a group of assets, view the widgets on the View the Lumin Dashboard.
Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the static data provided by the vulnerability's CVSS score and severity, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.
|VPR Category||VPR Range|
9.0 to 10.0
|High||7.0 to 8.9|
|Medium||4.0 to 6.9|
0.1 to 3.9
Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (e.g., many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.
Note: You cannot edit VPR values.
Tenable.io provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable.io automatically provides new and updated VPR values daily.
Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your assets with the highest ACRs.
To view the VPR for a specific vulnerability, view vulnerabilities as described in View All Vulnerabilities in Lumin.
Tenable uses the following key drivers to calculate a vulnerability's VPR.
Note: Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.
|Age of Vuln||
The number of days since the National Vulnerability Database (NVD) published the vulnerability.
|CVSSv3 Impact Score||
The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.io displays a Tenable-predicted score.
|Exploit Code Maturity||
The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
The number of days (0-730) since a threat event occurred for the vulnerability.
Common threat events include:
- An exploit of the vulnerability
- A posting of the vulnerability exploit code in a public repository
- A discussion of the vulnerability in mainstream media
- Security research about the vulnerability
- A discussion of the vulnerability on social media channels
- A discussion of the vulnerability on the dark web and underground
- A discussion of the vulnerability on hacker forums
Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.
|ACR Category||ACR Range|
9 to 10
|High||7 to 8|
|Medium||4 to 6|
1 to 3
Tenable provides an ACR value the first time you scan an asset on your network. Then, Tenable automatically provides new and updated ACR values daily.
Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if necessary. You can customize ACR values to reflect the unique infrastructure or needs of your organization, as described in Edit an ACR.
If an asset receives multiple ACR values, Tenable.io prioritizes the values in the following order:
- If set, the manually overridden ACR value.
- The Tenable-provided ACR value.
To view the ACR for a specific asset, view the asset details as described in View Asset Details.
Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.
Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global threat landscape associated with the asset's characteristics.
The device type. For example:
The device's business purpose. For example:
The device's location on your network and proximity to the internet. For example:
Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.
Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs associated with the asset.
Assessment Maturity provides a high-level summary of how effectively you are scanning for vulnerabilities. Tenable calculates a dynamic Assessment Maturity grade that represents your assessment scanning health as a letter grade between A and F. An A grade indicates you are assessing your assets frequently and thoroughly.
|Assessment Maturity Letter Grade||Numerical Range|
|A||80 to 100|
|B||60 to 79|
|C||35 to 59|
|D||15 to 34|
|F||0 to 15|
Your Assessment Maturity grade is the combination of your Assessment Maturity depth grade and your Assessment Maturity frequency grade. Tenable provides an Assessment Maturity grade the first time you scan. Then, Tenable.io automatically provides an updated Assessment Maturity grade daily.
Tenable calculates your depth grade as the combination of your scan policy coverage and authentication coverage.
- Scan policy coverage — How many plugins were enabled in your scan policies?
- Authentication coverage — How many of your scans successfully used authentication for full vulnerability detection?
A high depth grade indicates you are using policies with full plugin coverage and successfully running those plugins on your assets.
Tenable calculates your frequency grade based on how often you scan assets on your network. A high frequency grade indicates you are scanning your assets often.
To view your Assessment Maturity grade, depth grade, and frequency grade, see View Assessment Maturity Details.
Tenable assigns a TVI (TVI-####-#####) to all unique, publicly disclosed vulnerabilities to uniquely identify an individual vulnerability on your network.
|Vulnerabilities With TVIs||Vulnerabilities Without TVIs|
Tip: Tenable.io identifies a vulnerability by CVE, if available. If no CVE is available, Tenable.io displays the TVI. If no TVI is available, Tenable.io displays the plugin ID.
To view the TVI for a specific vulnerability, view the vulnerability details as described in View Vulnerability Details.