WeaverScore Risk Scoring
WeaverScore is ThreatWeaver's composite risk scoring algorithm. It combines multiple risk signals into a single 0-100 priority score, enabling security teams to focus remediation effort where it matters most.
Scoring Modelβ
Scoring Factorsβ
CVSS Base Score (30% weight)β
The Common Vulnerability Scoring System base score (0-10) from the National Vulnerability Database. Captures the intrinsic characteristics of the vulnerability -- attack vector, complexity, privileges required, and impact.
Tenable VPR (25% weight)β
Tenable's Vulnerability Priority Rating considers real-world threat intelligence, exploit maturity, and active exploitation data. Higher VPR indicates more actively targeted vulnerabilities.
EPSS Probability (20% weight)β
The Exploit Prediction Scoring System provides a probability (0-1) that the vulnerability will be exploited in the wild within the next 30 days. Based on machine learning models trained on historical exploitation data.
Asset Criticality (15% weight)β
Business impact rating of the affected asset (1-5 scale):
| Level | Label | Examples |
|---|---|---|
| 5 | Crown Jewel | Production databases, payment systems, customer PII stores |
| 4 | Business Critical | Primary web applications, authentication services |
| 3 | Standard | Internal applications, development servers |
| 2 | Low Impact | Test environments, isolated labs |
| 1 | Minimal | Decommissioned systems, archive hosts |
Vulnerability Age (5% weight)β
How long the vulnerability has been open. Older vulnerabilities receive higher urgency scores, reflecting the increased risk from prolonged exposure.
| Age Range | Multiplier |
|---|---|
| 0-7 days | 1.0x |
| 8-30 days | 1.2x |
| 31-90 days | 1.5x |
| 91-180 days | 1.8x |
| 180+ days | 2.0x |
Network Exposure (5% weight)β
Whether the affected asset is internet-facing, DMZ, internal, or isolated:
| Exposure | Score Boost |
|---|---|
| Internet-facing | +10 |
| DMZ | +5 |
| Internal | 0 |
| Isolated / air-gapped | -5 |
Score Interpretationβ
| Score Range | Priority | Action |
|---|---|---|
| 90-100 | Critical | Immediate remediation required |
| 70-89 | High | Remediate within SLA (typically 7 days) |
| 50-69 | Medium | Schedule for upcoming sprint |
| 30-49 | Low | Track and plan remediation |
| 0-29 | Informational | Accept risk or defer |
How WeaverScore Feeds the Platformβ
The WeaverScore powers several downstream features:
- Dashboard KPIs -- Risk distribution charts, severity trends, and anomaly detection all reference WeaverScore
- VFP Fix Planner -- Work packages are ranked by aggregate WeaverScore across grouped vulnerabilities
- SLA Enforcement -- SLA policies use WeaverScore thresholds to determine remediation deadlines
- Executive Summaries -- AI-generated summaries reference WeaverScore distributions for risk narratives
Data Pipelineβ
The aggregationService (approximately 2900 lines) is the core computation engine. It pre-computes WeaverScores during aggregation passes and caches results for fast dashboard rendering.
Related Pagesβ
- Tenable Sync -- How data flows from Tenable.io into ThreatWeaver
- Exposure Management Overview -- Module overview and architecture