Legacy Scoring

The first step in the scoring process is to calculate the AES of assets, which are then aggregated to the CES by taking an average of the AES values across a group of assets.

For Tenable One, a consistent approach for computing the AES across the categories involves the following:

1. Calculate the Vulnerability Density for an asset based on whatever weaknesses are present and the associated severity of those weaknesses. Vulnerability Density is defined as the number of vulnerabilities on that asset, their severity as reflected in the VPR scores and whether or not those vulnerabilities are remotely discoverable.

2. Combine this result with the ACR (which can be model-generated or user-defined in the case of VM assets) and then scale the result to produce the AES.

In addition to a CES for each of the categories, a Global CES is also generated by considering the AES across the entire attack surface assessed by Tenable One (i.e. assets from Tenable Vulnerability Management, Tenable Web App Scanning, Tenable Identity Exposure, and Legacy Tenable Cloud Security). Such scores are updated within hours of running a scan.

For more information, see the following topics: