Tenable Lumin Metrics

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Tenable Tenable Lumin uses several metrics to help you assess your risk.

For a demonstration on Tenable Lumin metrics, see the following video:

For information about improving the accuracy of your Tenable Lumin metrics and increasing your overall vulnerability management health, see Improve Your Tenable Lumin Metrics.

Important: Private findings are excluded from all scores in Tenable Lumin. For more information see Findings.

Cyber Exposure Score (CES)

Tenable calculates a dynamic CES that represents exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES values indicate higher risk.

For a demonstration on how Tenable calculates your CES, see the following video:

You can view CES for different groups of assets, including:

  • the overall CES for your entire organization (for example, the CES displayed in the Cyber Exposure Score widget)
  • the tag-level CES for assets in a specific business context (for example, the CES displayed in the Cyber Exposure Score by Business Context/Tag widget).

CES Category CES Range
High 650 to 1000
Medium 350 to 649
Low

0 to 349

To view the CES for your entire organization or for a group of assets, view the widgets on the View the Tenable Lumin Dashboard.

For more information about how long Tenable Vulnerability Management takes to calculate or recalculate your CES, see Tenable Lumin Data Timing.

Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

For a demonstration on VPR, see the following video:

VPR Category VPR Range
Critical

9.0 to 10.0

High 7.0 to 8.9
Medium 4.0 to 6.9
Low

0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable Vulnerability Management automatically provides new and updated VPR values daily.

Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your assets with the highest ACRs.

To view the VPR for a specific vulnerability, view vulnerabilities as described in View Vulnerabilities by Plugin.

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.

Key Driver

Description
Age of Vuln

The number of days since the National Vulnerability Database (NVD) published the vulnerability.

CVSSv3 Impact Score

The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Vulnerability Management displays a Tenable-predicted score.

Exploit Code Maturity

The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.

Product Coverage

The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.

Threat Sources

A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.

Threat Intensity

The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.

Threat Recency

The number of days (0-180) since a threat event occurred for the vulnerability.

Threat Event Examples

Common threat events include:

  • An exploit of the vulnerability
  • A posting of the vulnerability exploit code in a public repository
  • A discussion of the vulnerability in mainstream media
  • Security research about the vulnerability
  • A discussion of the vulnerability on social media channels
  • A discussion of the vulnerability on the dark web and underground
  • A discussion of the vulnerability on hacker forums

Asset Criticality Rating (ACR)

Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.

ACR Category ACR Range
Critical

9 to 10

High 7 to 8
Medium 4 to 6
Low

1 to 3

Because Tenable Vulnerability Management calculates ACR values every 24 hours, you may need to wait up to 24 hours to view the ACR after scanning the asset on your network.

Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if necessary. You can customize ACR values to reflect the unique infrastructure or needs of your organization, as described in Edit an ACR.

If an asset receives multiple ACR values, Tenable Vulnerability Management prioritizes the values in the following order:

  1. If set, the manually overridden ACR value.
  2. The Tenable-provided ACR value.

To view the ACR for a specific asset, view the asset details as described in View Asset Details.

ACR Key Drivers

Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.

Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global threat landscape associated with the asset's characteristics.

Note: Running unauthenticated scans may result in limited or incomplete ACR key drivers.

Asset Exposure Score (AES)

Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs associated with the asset.

AES Category AES Range
High 650 to 1000
Medium 350 to 649
Low

0 to 349

To view the AES for a specific asset, see View Assets.

Assessment Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more information, contact your Tenable representative.

Assessment Maturity provides a high-level summary of how effectively you are scanning for vulnerabilities on your licensed assets. Tenable calculates a dynamic Assessment Maturity grade that represents your assessment scanning health as a letter grade between A and F. An A grade indicates you are assessing your assets frequently and thoroughly.

Tenable provides an Assessment Maturity grade the first time you scan. Then, Tenable Vulnerability Management automatically provides an updated Assessment Maturity grade daily.

Assessment Maturity Letter Grade Numerical Range
A 75 to 100
B 55 to 74
C 30 to 54
D 15 to 29
F 0 to 14

How is my Assessment Maturity calculated?

Scan Depth Score

A high depth grade indicates you are running authenticated scans on these assets.

Depth Grade Letter Grade Numerical Range
A 75 to 100
B 55 to 74
C 30 to 54
D 15 to 29
F 0 to 14

Scan Frequency Score

Tenable calculates your frequency grade based on how often you scan assets on your network. A high frequency grade indicates you are scanning your assets often.

Frequency Grade Letter Grade Numerical Range
A 75 to 100
B 55 to 74
C 30 to 54
D 15 to 29
F 0 to 14

To view your Assessment Maturity grade, depth grade, and frequency grade, see View Assessment Maturity Details.

For more information about how long Tenable Vulnerability Management takes to calculate or recalculate your Assessment Maturity grade, see Tenable Lumin Data Timing.

Remediation Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more information, contact your Tenable representative.

Remediation Maturity provides a high-level summary of how effectively you are remediating vulnerabilities on your licensed assets. Tenable calculates a dynamic Remediation Maturity grade that represents your remediation health as a letter grade between A and F. An A grade indicates you are remediating the vulnerabilities on your assets quickly and thoroughly.

Remediation Maturity Letter Grade Numerical Range
A 75 to 100
B 55 to 74
C 30 to 54
D 15 to 29
F 0 to 14

Your Remediation Maturity grade is the combination of your Remediation Maturityremediation responsiveness grade and your Remediation Maturityremediation coverage grade.

Tenable provides a Remediation Maturity grade the first time you remediate a vulnerability. Then, Tenable Lumin automatically provides an updated Remediation Maturity grade daily.

Remediation Responsiveness Grade

Tenable calculates your remediation responsiveness grade based on how long it takes you to remediate a vulnerability after it is first discovered (the First Seen date).

A high remediation responsiveness grade indicates you are quickly remediating the vulnerabilities on your assets.

Remediation Responsiveness Letter Grade Numerical Range
A 75 to 100
B 55 to 74
C 30 to 54
D 15 to 29
F 0 to 14

Remediation Coverage Grade

Tenable calculates your remediation coverage grade based on the percentage of remediated vulnerabilities on your assets.

A high remediation coverage grade indicates you are remediating a high percentage of the vulnerabilities on your assets.

Remediation Coverage Letter Grade Numerical Range
A 75 to 100
B 55 to 74
C 30 to 54
D 15 to 29
F 0 to 14

To view your Remediation Maturity grade, remediation responsiveness grade, and remediation coverage grade, see View Remediation Maturity Details.

For more information about how long Tenable Lumin takes to calculate or recalculate your Remediation Maturity grade, see Tenable Lumin Data Timing.