Safety levels
| Score | Level | What it means |
|---|---|---|
| 0 – 19 | Low risk | No significant exposure. Keep scanning to stay covered. |
| 20 – 39 | Watch | A few open issues — review and fix them when you can. |
| 40 – 69 | Elevated risk | Serious open issues across your assets. Prioritise remediation. |
| 70 – 100 | Critical risk | Severe, likely-exploitable exposure. Act now. |
What drives the score
Open vulnerabilities — the foundation. The more open findings you have, and the more severe they are, the higher the score. Critical and high findings move it far more than medium and low ones. Once a finding is fixed or dismissed it stops counting. Known-exploited issues raise it sharply. A vulnerability listed in the CISA Known Exploited Vulnerabilities (KEV) catalog is being used in real-world attacks, so it weighs much more than its severity alone. WAF protection lowers it. Web assets sitting behind a Web Application Firewall are partially shielded, so they reduce the score. The CyStack WAF and reputable third-party WAFs (Cloudflare, Akamai, Imperva, AWS WAF, …) count equally. Confirmed exposure raises the score. Some findings aren’t a guess from a version number — they are proven direct access, such as a service reachable with default credentials or with no authentication at all. These push the score higher on top of everything else. Open data leaks raise the score. If a domain you monitor has leaked credentials still circulating (via Data Leak Monitoring), that is a direct exposure regardless of your vulnerability state, so it pushes the score up. The “can’t look safe” rule. If you have any known-exploited vulnerability, a service open with default/no credentials, or an unresolved data leak, the score is held at Elevated at minimum. A workspace with an actively-exploitable hole or leaked passwords in the wild should never read as “Low risk”.How to bring it down
- Remediate critical and high findings first — they carry the most weight.
- Fix anything flagged KEV, confirmed access, or an open data leak immediately; these keep the score from dropping below Elevated.
- Put public web assets behind a WAF (CyStack or a third party) to earn the protection discount.
- Rotate credentials and resolve leaked accounts so they no longer count as open.
- Mark genuine false positives as resolved so they no longer raise the score unnecessarily.
The score is computed entirely from your own workspace data and refreshes within moments of new scan results — there is nothing to configure.