Tenable One Scoring Explained: Overview

The building blocks for the Cyber Exposure Score (CES) in the Tenable One Exposure Management Platform are similar to those used for years in Tenable products (e.g., Tenable Vulnerability Management, Tenable Lumin). These mechanisms have to date only been used for vulnerability management data. Tenable One expands these concepts into new realms of the attack surface.

The following concepts are foundational to the scoring utilized in Tenable One:

• Vulnerability Priority Rating (VPR): The severity and exploitability of a given vulnerability. A vulnerability’s VPR is expressed as a number from 0.1 to 10, with higher values corresponding to higher likelihood of the vulnerability leading to a compromise and a higher impact on the asset. This score is found in Tenable Vulnerability Management.

• Asset Criticality Rating (ACR): Rates the criticality of an asset to the organization. An asset’s ACR is expressed as an integer from 1 to 10, with higher values corresponding to the asset being more critical to the business. This score is utilized in Tenable Lumin.

• Asset Exposure Score (AES): A combination of the VPR and ACR of a given asset.

Scoring (Beta) / Legacy Scoring

Tenable is currently updating the way scores are calculated by switching data models. This guide includes information about how scores are calculated using both the "new" and "legacy" Tenable data models.

For more information, see:

• Scoring (Beta)

• Legacy Scoring

Data Timing

Data within Tenable One refreshes on the following cadence:

• Asset Data: Asset information is updated every time the asset is seen as part of a scan.

• Tag Application: When a tag is first created, it can take several hours to assign the tag to the appropriate asset, depending on the number of asset and the tag's rules.

• Tag Reevaluation: Every 12 hours, Tenable One automatically reevaluates tags to ensure they apply to any new assets, and are removed from any inactive assets.

Scoring Caveats within Tenable One

The weakness counts and severities within the Score Breakdown tab and other areas within the Tenable Inventory user interface may not match because each segment counts instances differently:

For Tenable Vulnerability Management assets:

• Weakness counts: Are distinct CVE counts

• Exposure score counts: Distinct (plugin ID, CVE ID) counts to allow for recasted plugins to affect exposure scores

For Tenable Web App Scanning assets:

• Weakness counts: Number of distinct CVEs + distinct plugins where the plugin has no CVEs but has a VPR

• Exposure score counts: Distinct plugin ID counts with VPR > 0. This is to account for plugin ID vulnerabilities with no CVE and to allow for recasted plugins to affect exposure scores

For Tenable Identity Exposure assets:

• Weakness counts: Distinct IoEs observed directly on the asset

• Exposure score counts: Includes IoEs observed directly on the asset plus those inherited from related assets to account for inherited IoEs in exposure scores

For Tenable Cloud Security assets:

• Weakness counts: Cloud Security misconfigurations plus any CVEs found on the asset

• Exposure score counts: Only Cloud Security misconfigurations are counted for exposure scores.