Detectify is aiming to make security understandable and easy to work with. That is why we visualize your security status in several ways in the tool: Your graph shows your progress over time and your Threat Score gives you an instant security level ranking. In the following blog post, we will focus on how you should interpret and work with your Threat Score.
Where do you find your threat score?
Pick which Scan Profile you want to find out the score for. Move the marker along the dates that are placed horizontally under the graph to find out the current score for a specific date. The threat score is visible in the top right corner (highlighted in the example below). As you can see, the score is dynamic and varies from scan to scan – it all depends on if you have fixed previous vulnerabilities, or if we’ve added new security issues to the scanner.
In the demo example above, we moved the marker to a previous scan to find out the Threat Score for 25th of May.
What is the score based on?
The score is based on your latest scan results and the issues we found when we tested your site for 700+ vulnerabilities. A high score means you have one or more critical vulnerabilities on your site, which means you should strive to have as low a number as possible. We apply a 10-degree scale, where the threat score shows the value of the most critical vulnerability identified. I.e. if you have a vulnerability with a CVSS score of 6.9, this will be your final threat score, in case it’s the most critical finding we have spotted.
The vulnerabilities’ severity level (that we use to calculate the end result) is based on CVSS v2, an industry standard from 2013. The CVSS scale is based on several parameters (Access Vector, Access Complexity, Authentication, Confidentiality, Integrity, Availability). There is a mathematical formula for how CVSS is calculated, taking into account how easy it is to exploit the vulnerability and what the consequences of such an attack would be. Read more about CVSS here: https://en.wikipedia.org/wiki/CVSS
How do I interpret my score?
You already know that we categorize vulnerabilities as High, Medium or Low severity findings in order to make it easier for you to prioritize your security work. As we described earlier, it is the severity level of the vulnerabilities identified on your site that is the basis of your Threat Score.
My score is: 0-2.9
Remember that several Low severity vulnerabilities can still compromise your security
If your score is on the lower part of the scale, it means you have Low severity vulnerabilities on your site. These vulnerabilities might not individually constitute a critical risk, but we want to emphasize that even though your score is relatively low, this does not mean you are not at risk. Low findings may not individually compromise your security, but in combination with each other, they can be used for more advanced attacks.
My score is: 3-5.9
You have Medium severity findings to take care off
If your score is between 3-5.9, you most likely have several Medium severity vulnerabilities on your site. About 90% of our users have Medium vulnerabilities, so you are not alone. As mentioned earlier, when these vulnerabilities are combined with each other, they can pose a very high risk, so we recommend you to fix them as soon as possible.
My score is: 6-10
Ouch, you have some serious security work to do!
A score between 6-10 means you have one or more critical security issues to take care of immediately. About 30% of our users have high severity findings in their reports. If the Detectify scanner identifies one or more High severity findings on your site, these will automatically pull you up its specific CVSS score, since these vulnerabilities individually represent such a high risk.
The easiest way to lower your score is to solve all High severity vulnerabilities as soon as possible.
To become a real Detectify Pro-user, we also recommend you to read the following articles:
– Setting up your account the right way
– 5 things we’ve done to make your Detectify experience better
// The Detectify Team