Tenable Lumin Metrics

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

The standalone Tenable Lumin SKU's will reach End of Sale (EOS) on March 31, 2025. Customers currently using Tenable Lumin and Tenable Lumin Connector will be upgraded to the Tenable One Platform for both new and renewal purchases. Contact your CSM if you want to migrate before this date to take advantage of all Tenable One capabilities. For more information, see the Tenable Lumin End of Sale Bulletin.

Tenable Tenable Lumin uses several metrics to help you assess your risk.

Cyber Exposure Score (CES)
Vulnerability Priority Rating (VPR)
Asset Criticality Rating (ACR)
Asset Exposure Score (AES)
Assessment Maturity Grade
Remediation Maturity Grade

For information about improving the accuracy of your Tenable Lumin metrics and increasing your overall vulnerability management health, see Improve Your Tenable Lumin Metrics.

Important: Private findings are excluded from all scores in Tenable Lumin. For more information see Findings.

Cyber Exposure Score (CES)

Tenable calculates a dynamic CES that represents exposure risk as an integer between 0 and 1000, based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES values indicate higher risk.

You can view CES for different groups of assets, including:

the overall CES for your entire organization (for example, the CES displayed in the Cyber Exposure Score widget)
the tag-level CES for assets in a specific business context (for example, the CES displayed in the Cyber Exposure Score by Business Context/Tag widget).

CES Category	CES Range
High	650 to 1000
Medium	350 to 649
Low	0 to 349

To view the CES for your entire organization or for a group of assets, view the widgets on the View the Tenable Lumin Dashboard.

For more information about how long Tenable Vulnerability Management takes to calculate or recalculate your CES, see Tenable Lumin Data Timing.

Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher likelihood of exploit.

VPR Category	VPR Range
Critical	9.0 to 10.0
High	7.0 to 8.9
Medium	4.0 to 6.9
Low	0.1 to 3.9

Note: Vulnerabilities without CVEs (for example, many vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on your network. Then, Tenable Vulnerability Management automatically provides new and updated VPR values daily.

Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your assets with the highest ACRs.

To view the VPR for a specific vulnerability, view vulnerabilities as described in Findings.

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a vulnerability's global threat landscape.

Key Driver	Description
Age of Vuln	The number of days since the National Vulnerability Database (NVD) published the vulnerability.
CVSSv3 Impact Score	The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Vulnerability Management displays a Tenable-predicted score.
Exploit Code Maturity	The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
Product Coverage	The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
Threat Sources	A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
Threat Intensity	The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
Threat Recency	The number of days (0-180) since a threat event occurred for the vulnerability.

Threat Event Examples

Common threat events include:

An exploit of the vulnerability
A posting of the vulnerability exploit code in a public repository
A discussion of the vulnerability in mainstream media
Security research about the vulnerability
A discussion of the vulnerability on social media channels
A discussion of the vulnerability on the dark web and underground
A discussion of the vulnerability on hacker forums

Asset Criticality Rating (ACR)

Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.

ACR Category	ACR Range
Critical	9 to 10
High	7 to 8
Medium	4 to 6
Low	1 to 3

Because Tenable Vulnerability Management calculates ACR values every 24 hours, you may need to wait up to 24 hours to view the ACR after scanning the asset on your network.

Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if necessary. You can customize ACR values to reflect the unique infrastructure or needs of your organization, as described in Edit an ACR.

If an asset receives multiple ACR values, Tenable Vulnerability Management prioritizes the values in the following order:

If set, the manually overridden ACR value.
The Tenable-provided ACR value.

To view the ACR for a specific asset, view the asset details as described in View Asset Details.

ACR Key Drivers

Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.

Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global threat landscape associated with the asset's characteristics.

Note: Running unauthenticated scans may result in limited or incomplete ACR key drivers.

Key Driver Types:

Key Driver	Description
device_type	The device type. For example: hypervisor — The device is a Type-1 hypervisor that hosts a virtual machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen). printer — The device is a networked printer or a printing server.
device_capability	The device's business purpose. For example: file_server — The device is a server that provides file sharing services (e.g., an FTP, SMB, NFS, or NAS server). mail_server — The device is a server designated for sending and receiving emails.
internet_exposure	The device's location on your network and proximity to the internet. For example: internal — The device is located within your local area network (LAN), possibly behind a firewall. external — The device is located outside your LAN and not behind a firewall.

Key Driver

Description

device_type

The device type. For example:

hypervisor — The device is a Type-1 hypervisor that hosts a virtual machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen).
printer — The device is a networked printer or a printing server.

device_capability

The device's business purpose. For example:

file_server — The device is a server that provides file sharing services (e.g., an FTP, SMB, NFS, or NAS server).
mail_server — The device is a server designated for sending and receiving emails.

internet_exposure

The device's location on your network and proximity to the internet. For example:

internal — The device is located within your local area network (LAN), possibly behind a firewall.
external — The device is located outside your LAN and not behind a firewall.

ACR Device Capabilities:

Part of ACR device capabilities are defined by which software is installed on the target host.

Capability	Description	Software or Services
accounting_system	An accounting solution is installed on the target asset.	Intuit Quickbooks
backup_agent	A backup solution agent is installed on the target asset.	Amanda backup (agent)
analytics_system	A software solution for data analytics and reporting is installed on the target host.	QlikView
		TIBCO Spotfire
		IBM SPSS
		SharePoint 2013
		SOLR
		Elasticsearch
		Enterprise Search
		Google Search Appliance
		Lucene
		SQL Server Reporting Services
		Oracle BI publisher
		SAP Business Object
backup_server	An enterprise backup solution is installed or running on the target host.	Acronis Backup
		Quest NetVault
		Unitrends Enterprise Backup
		Veritas Backup Exec
		Spectrum Protect (formerly Tivoli Storage Manager)
crm_system	A Customer Relation Management (CRM) solution is installed or running on the target host	SugarCRM
		Bitrix24 CRM
		Siebel CRM
database_server	A database system is installed on the target host or a database server is running on the target host.	PostgreSQL
		Microsoft SQL Server
		MongoDB
		Oracle Database
		Db2 Hosted
		Percona XtraDB Cluster
		IBM Informix
		PostgreSQL
		Percona Server
		MariaDB Cluster
		MySQL
		Microsoft SQL Server
		SAP Adaptive Server Enterprise (ASE)
		MariaDB Server
		SQLite
		Apache Derby Network Server
		SAP DB
		Cogent Datahub Server
directory_server	The target asset is an authentication server.	McAfee Stonegate Authentication Server
		Kerberos Ticketing Server
		LDAP protocol
		IBM Tivoli
		Stonegate Auth Server
dns_server	A DNS server is running on the target asset.	DNS Service on Port 53
erp_system	An Enterprise Resource Planning Suite server is running or is installed on the target asset.	Microsoft Dynamics AX
		Oracle E-Business Suite
		SAP ERP
		Microsoft Dynamics GP
		SAP DB
		SAPControl
		SAP RMI-P4 Protocol Service
		SAP Host Control
		Apache OFBiz
erp_system_client	The target asset has installed a client software for accessing ERP systems.	SAP GUI
file_server	The target asset is used for file sharing purposes. The file sharing here is a narrow sense. SMB server is not considered as a file server in this classification.	WebCenter
		ownCloud
		Sharepoint
		Oracle WebCenter Content
		Sharepoint
		FTP service
		Apple File Protocol (AFP) service
		Network File System (NFS) Server Detection
helpdesk_system	A help desk ticketing server is installed or running on the target asset.	SugarCRM
		Track-It!
		ServiceDesk Plus
		OTRS
		ManageEngine Service Desk
it_management_system	The target asset performs some types of IT management function. It can be IT infrastructure management, including managing a single or a group of devices or services, or IT service management such as software provisioning, device, or software repository management.	Application Insight
		Solarwinds Server & Application Monitor
		ManageEngine Application Performance Monitoring
		System Center Operations Manager
		Applications Manager- ManageEngine
		ManageEngine Desktop Central
		Ghost Solution Suite
		ZENworks - Configuration Management
		IBM BigFix
		System Center Configuration Manager
		CA Unified Infrastructure Management
		Centreon
		VMware vRealize Operations
		OpManager
		Nagios XI
		SCOM
		PRTG Network Monitor
		Zabbix
		SolarWinds Storage Resource Monitor
		GroundWork Monitor
		Pandora FMS
		Tivoli Monitoring
		OP5 Monitor
		NetFlow Traffic Analyzer
		PRTG Network Monitor
		Cisco Prime Infrastructure
		H3C Intelligent Management Center
		ZENworks Asset Management
		ManageEngine Desktop Central
		Unified Endpoint Manager
		Google Analytics
		Cisco Prime Infrastructure
		H3C Intelligent Management Center
		HP 3PAR Management Server
		Ghost Solution Suite
		Fortigate Firewall Management Console
		Barracuda Spam & Virus Firewall Management Web Console
mail_server	The target asset is a mail server.	IBM Domino
		IMAP Service Detection
		CCProxy SMTP Server Detection
		SMTP Service Detection
		POP Service Detection
pci	The target asset has PCI sensitive information.	PCI Plugin Fired
pci-target	The target asset is a PCI scan target.	"pci" Keyword Found in Scan Name
proxy_server	The target asset is a proxy server.	Oracle iPlanet Web Proxy Server
		HTTP proxy Detected in Service Banner
		McAfee Email Gateway
reverse_proxy_server	The target asset is a reverse proxy that directs external client requests to internal servers. A reverse proxy can be an ADC or a load-balancer.	NetApp SANtricity Web Services Proxy
reverse_proxy_server		Foreman Smart-Proxy TFTP
rnd_software	The target asset is for development purposes because product development software is installed on it.	Red Hat Mobile Application Platform
		Application Testing Suite
		Windows Visual Studio
		AutoCAD
		MAC OS Xcode IDE
		Autodesk DWG TrueView Detection
scada	Software systems used for managing industrial processes are installed or running on the target asset.	AVEVA InduSoft Web Studio / InTouch Edge HMI TCP/IP Server
scada		Trihedral VTScada Detection
upnp	The target asset supports UPnP. It is likely to be an appliance.	UPnP service detection
web_application_server	There is a web application server running or installed on the target asset. Having a web application server running on the target asset does not necessarily indicate its criticality. But it can hint criticality when used in together with some properties, e.g. web application server + external + server device type = high criticality.	Geronimo
		Resin
		Tuxedo
		Tomcat
		Jetty
		Red Hat OpenShift
		Microsoft .NET Platform
		Red Hat Jboss EAP
		WebLogic Server
		Magento
		WebSphere Commerce
		Cobalt
		DNN Platform
		Umbraco
		Oracle WebCenter Sites
		Glassfish
		nginx
		Microsoft IIS

Asset Exposure Score (AES)

Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs associated with the asset.

AES Category	AES Range
High	650 to 1000
Medium	350 to 649
Low	0 to 349

To view the AES for a specific asset, see Assets.

Assessment Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more information, contact your Tenable representative.

Assessment Maturity provides a high-level summary of how effectively you are scanning for vulnerabilities on your licensed assets. Tenable calculates a dynamic Assessment Maturity grade that represents your assessment scanning health as a letter grade between A and F. An A grade indicates you are assessing your assets frequently and thoroughly.

Tenable provides an Assessment Maturity grade the first time you scan. Then, Tenable Vulnerability Management automatically provides an updated Assessment Maturity grade daily.

Assessment Maturity Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

How is my Assessment Maturity calculated?

For asset scores:
- Scan Frequency score — How often the asset was scanned within the last 90 days
- Scan Depth score — Whether or not the asset was in an authenticated scan within the last 90 days
- Assessment Maturity score — A calculation of (Scan Frequency score + Scan Depth score) / 2
For a container/business context score:
- Scan Frequency score — the average of the asset Scan Frequency scores
- Scan Depth score — the average of the asset Scan Depth scores
- Assessment Maturity score — the average of the asset Assessment Maturity scores

Scan Depth Score

A high depth grade indicates you are running authenticated scans on these assets.

Depth Grade Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

Scan Frequency Score

Tenable calculates your frequency grade based on how often you scan assets on your network. A high frequency grade indicates you are scanning your assets often.

Frequency Grade Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

To view your Assessment Maturity grade, depth grade, and frequency grade, see View Assessment Maturity Details.

For more information about how long Tenable Vulnerability Management takes to calculate or recalculate your Assessment Maturity grade, see Tenable Lumin Data Timing.

Remediation Maturity Grade

Remediation Maturity provides a high-level summary of how effectively you are remediating vulnerabilities on your licensed assets. Tenable calculates a dynamic Remediation Maturity grade that represents your remediation health as a letter grade between A and F. An A grade indicates you are remediating the vulnerabilities on your assets quickly and thoroughly.

Remediation Maturity Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

Your Remediation Maturity grade is the combination of your Remediation Maturityremediation responsiveness grade and your Remediation Maturityremediation coverage grade.

Tenable provides a Remediation Maturity grade the first time you remediate a vulnerability. Then, Tenable Lumin automatically provides an updated Remediation Maturity grade daily.

Remediation Responsiveness Grade

Tenable calculates your remediation responsiveness grade based on how long it takes you to remediate a vulnerability after it is first discovered (the First Seen date).

A high remediation responsiveness grade indicates you are quickly remediating the vulnerabilities on your assets.

Remediation Responsiveness Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

Remediation Coverage Grade

Tenable calculates your remediation coverage grade based on the percentage of remediated vulnerabilities on your assets.

A high remediation coverage grade indicates you are remediating a high percentage of the vulnerabilities on your assets.

Remediation Coverage Letter Grade	Numerical Range
A	75 to 100
B	55 to 74
C	30 to 54
D	15 to 29
F	0 to 14

To view your Remediation Maturity grade, remediation responsiveness grade, and remediation coverage grade, see View Remediation Maturity Details.

For more information about how long Tenable Lumin takes to calculate or recalculate your Remediation Maturity grade, see Tenable Lumin Data Timing.