Tenable One Scoring Explained: Overview

The building blocks for the Cyber Exposure Score (CES) in the Tenable One Exposure Management Platform are similar to those used for years in Tenable products (e.g., Tenable Vulnerability Management, Tenable Lumin). These mechanisms have to date only been used for vulnerability management data. Tenable One expands these concepts into new realms of the attack surface: Web Applications (Tenable Web App Scanning), Cloud Resources (Legacy Tenable Cloud Security), and Identity (Tenable Identity Exposure).

The following concepts are foundational to the scoring utilized in Tenable One:

• Vulnerability Priority Rating (VPR): The severity and exploitability of a given vulnerability. A vulnerability’s VPR is expressed as a number from 0.1 to 10, with higher values corresponding to higher likelihood of the vulnerability leading to a compromise and a higher impact on the asset. This score is found in Tenable Vulnerability Management.

• Asset Criticality Rating (ACR): Rates the criticality of an asset to the organization. An asset’s ACR is expressed as an integer from 1 to 10, with higher values corresponding to the asset being more critical to the business. This score is utilized in Tenable Lumin.

• Asset Exposure Score (AES): A combination of the VPR and ACR of a given asset.

Data Timing

Data within Tenable One refreshes on the following cadence:

• Asset Data: Asset information is updated every time the asset is seen as part of a scan.

• Tag Application: When a tag is first created, it can take several hours to assign the tag to the appropriate asset, depending on the number of asset and the tag's rules.

• Tag Reevaluation: Every 12 hours, Tenable One automatically reevaluates tags to ensure they apply to any new assets, and are removed from any inactive assets.