> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cystack.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Risk Score

> What the workspace risk score means, what drives it, and how to bring it down

The **risk score** is a single number from **0 to 100** that summarizes how exposed your workspace is right now. **Higher means more risk.** It appears on the dashboard as a colored ring with a safety level and updates automatically as scans finish and you triage findings.

It is designed to answer one question at a glance: *how worried should I be today?* Instead of just counting vulnerabilities, it weighs how serious they are, whether attackers are already exploiting them, whether your assets are protected, and whether your credentials are already circulating in data leaks.

## Safety levels

| Score        | Level             | What it means                                                   |
| ------------ | ----------------- | --------------------------------------------------------------- |
| **0 – 19**   | **Low risk**      | No significant exposure. Keep scanning to stay covered.         |
| **20 – 39**  | **Watch**         | A few open issues — review and fix them when you can.           |
| **40 – 69**  | **Elevated risk** | Serious open issues across your assets. Prioritise remediation. |
| **70 – 100** | **Critical risk** | Severe, likely-exploitable exposure. Act now.                   |

<Tip>
  Hover the score on the dashboard to see a breakdown of the factors below, so you can tell *why* the number is what it is.
</Tip>

## What drives the score

**Open vulnerabilities — the foundation.** The more open findings you have, and the more severe they are, the higher the score. Critical and high findings move it far more than medium and low ones. Once a finding is fixed or dismissed it stops counting.

**Known-exploited issues raise it sharply.** A vulnerability listed in the CISA *Known Exploited Vulnerabilities* (KEV) catalog is being used in real-world attacks, so it weighs much more than its severity alone.

**WAF protection lowers it.** Web assets sitting behind a Web Application Firewall are partially shielded, so they reduce the score. The **CyStack WAF** and reputable **third-party WAFs** (Cloudflare, Akamai, Imperva, AWS WAF, …) count equally.

**Confirmed exposure raises the score.** Some findings aren't a guess from a version number — they are *proven* direct access, such as a service reachable with **default credentials** or with **no authentication** at all. These push the score higher on top of everything else.

**Open data leaks raise the score.** If a domain you monitor has leaked credentials still circulating (via **Data Leak Monitoring**), that is a direct exposure regardless of your vulnerability state, so it pushes the score up.

**The "can't look safe" rule.** If you have *any* known-exploited vulnerability, a service open with default/no credentials, or an unresolved data leak, the score is held at **Elevated** at minimum. A workspace with an actively-exploitable hole or leaked passwords in the wild should never read as "Low risk".

## How to bring it down

* Remediate **critical** and **high** findings first — they carry the most weight.
* Fix anything flagged **KEV**, **confirmed access**, or an **open data leak** immediately; these keep the score from dropping below Elevated.
* Put public web assets behind a **WAF** (CyStack or a third party) to earn the protection discount.
* Rotate credentials and resolve leaked accounts so they no longer count as open.
* Mark genuine **false positives** as resolved so they no longer raise the score unnecessarily.

<Note>
  The score is computed entirely from your own workspace data and refreshes within moments of new scan results — there is nothing to configure.
</Note>
