Skip to content

Weakness Scoring System

This page outlines how NodeZero calculates a weakness’ severity. It delineates the two overall scores (base versus context score), outlines their components, and explains how all ingredients combine into a final score.

Base Versus Context Score

Every weakness in the Horizon3 AI platform carries two scores:

  • Base Score – The inherent severity of the vulnerability itself, independent of the environment. Scale: 0–10.

  • Context Score – The adjusted severity, accounting for the weakness' actual operational impact within the client's specific environment. This reflects what an attacker can actually reach and compromise by exploiting this weakness. Scale: 0–10.

Base Score

The base score is calculated based on a combination of publicly known CVE (Common Vulnerabilities and Exposures) weaknesses and proprietary Horizon3 AI findings.

CVE Weaknesses

For CVE-based weaknesses, the base score is the CVSS v3.1 Base Score, as published in the NVD (National Vulnerability Database). CVSS (Common Vulnerability Scoring System) scores are derived from standardized metrics, including:

  • Attack Vector – Network, Adjacent, Local, or Physical.
  • Attack Complexity – Low or High.
  • Privileges Required – None, Low, or High.
  • User Interaction – None or Required.
  • Impact on Confidentiality, Integrity, and Availability – None, Low, or High.

Examples:

  • CVE-2024-7593: CVSS base score = 9.8 (Critical).
  • CVE-2023-32315: CVSS base score = 7.5 (High).

Horizon3 AI–Discovered Weaknesses

For Horizon3 AI-defined weaknesses – misconfigurations, insecure defaults, protocol-level issues, and other findings discovered by NodeZero's testing methodology – Horizon3 AI's security research team assigns base scores in alignment with CVSS scoring standards. Each Horizon3 AI weakness definition includes a manually curated base score reflecting the inherent severity of the issue.

Examples:

  • H3-2025-0027 (Authentication Bypass): base score = 9.8.
  • H3-2024-0001 (Overprivileged Cloud Policy): base score = 9.0.
  • H3-2021-0018 (Default Database Credentials): base score = 8.6.
  • H3-2023-0006 (Pass-the-Hash Detection): base score = 7.5.
  • H3-2020-0004 (DNS Zone Transfer): base score = 4.8.

These weaknesses can lower the context score

Some Horizon3 AI–discovered weaknesses also carry conditional modifiers that can lower the context score below the base score. For example, if an exploit was attempted but failed, we might set the context score lower than the base score (e.g., to 50% of the base score value). These adjustments reflect the lower real-world risk when exploitation is unsuccessful.

Context Score

The context score is what makes Horizon3 AI's scoring actionable. It answers the question: "Given this specific environment, and taking the perspective of the threat actor’s starting point, what is the real-world impact of this weakness?"

Context Core Principle

A weakness' context score is set to its maximum downstream impact score – that is, the highest-severity impact that can be reached by exploiting that weakness through the discovered attack paths.

For example: If a medium-severity weakness (base score 5.0) leads through a chain of attack steps to Domain Compromise (impact score 10.0), its context score is elevated to 10.0, to reflect that actual risk.

How Context Scores Are Calculated

The context scoring pipeline works in stages, propagating scores from impacts back up through the attack graph to individual weaknesses.

Stage 1: Score Impacts

NodeZero models 21 distinct impact types, each with a predefined base score that reflects its business severity. The initial set of impacts identifies the nature of the compromise:

  • 10.0 – Domain Compromise, AWS Account Compromise, Cloud Compromise, Kubernetes Cluster Compromise, Microsoft Entra Full Tenant Compromise.
  • 9.8 – Business Email Compromise.
  • 9.5 – Critical Infrastructure Compromise.
  • 9.2 – Host Compromise, Perimeter Breach.
  • 9.0 – Domain User Compromise, AWS User/Role Compromise, Microsoft Entra User Compromise, Third-Party SaaS User Compromise, Kubernetes Identity Compromise.
  • 8.5 – Web Session Compromise.
  • 8.0 – Web Application User Compromise.
  • 7.8 – Ransomware Exposure.
  • 7.5 – Cloud Service Compromise, Brand Compromise.
  • 7.2 – Sensitive Data Exposure.

Each impact's context score might be further elevated based on:

  • Business risk associations – If the affected entity (host, credential, or data store) is tied to identified business risks, the impact score receives a +2.0 boost (capped at an overall score of 10.0).
  • Affected entity scoring – Vulnerable entities carry their own scores (covered in the next section), which feed into impact scoring.

Stage 2: Score Entities Along the Attack Path

Entities (credentials, data stores, and hosts) that NodeZero discovers and traverses along the attack path receive their own scores, based on privilege level, data sensitivity, and access type.

Credentials

Credentials are scored by privilege level:

  • 9.8 – AWS Root User, Domain Admin, Entra Global Admin, AWS Admin User/Role.
  • 8.0 – Local Admin, Entra User.
  • 5.0 – Domain User.
  • 2.0 – Kubernetes Service Account, Other.
  • 0.1 – Anonymous.
Data Stores

Data stores (the file systems, databases, shares, and other storage systems that NodeZero discovers) are scored based on a combination of:

  • Logarithmic scaling of the volume of data resources discovered: log10(resource_count).
  • The highest-scoring sensitive file or data finding within the store.
  • Whether the store contains data associated with business risks.
Sensitive Data and Files

As NodeZero discovers sensitive data and files within data stores, it scores them based on multiple factors.

Volume: This is a logarithmic scaling of the discovered resource count – log10(resource_count) – with a minimum score of 0.1.

File sensitivity: Files are scored based on file names and extensions known to be sensitive.

High-sensitivity files (score 9.0) include:

  • Credential stores and key material: .pfx, .p12, .keytab, .kdbx (KeePass), .keystore, .ccache (Kerberos)
  • SSH private keys: id_rsa, id_dsa
  • Credential files: credentials (e.g., AWS/Azure credential files), .htpasswd, shadow, secrets.tdb, passdb.tdb
  • Ransomware indicators: .lockbit, HELP_DECRYPT.*
  • Kerberos ticket caches: files prefixed with krb5 or ccache_

Moderate-sensitivity files (score 5.0–7.0) include:

  • Documents and spreadsheets: .docx, .xlsx, .pdf, .pptx, .csv
  • Email archives: .pst, .ost
  • Databases: .mdb, .accdb
  • Archives: .zip, .tar, .7z, .rar
  • Configuration files: web.config (7.0), .bash_history (7.0)

Files containing data associated with business risks (e.g., regulated personal data, or financial records) receive a score of 9.0.

Data Store Final Score

A data store's overall score is the maximum score across volume-based scoring, the highest individual file score, and the highest business-risk–related file score.

Credential Final Score

Credential access to a system (representing a credential accessing a specific system, such as a data store) is scored using a probability union of multiple risk signals:

  • The credential's base score.
  • The data store's base score (if applicable).
  • Write access combined with business risks: 9.0.
  • Business risks alone: 7.0.
  • Write access alone: 5.0.

Stage 3: Propagate Scores Upstream to Weaknesses

Starting from the impacts, NodeZero walks back up the attack graph:

  1. Each weakness – a specific vulnerability on a specific asset – receives a context score. This score is equal to the maximum impact score among all downstream impacts reachable through the attack paths that originate from that weakness.
  2. Elevation rule – if the maximum downstream impact score exceeds the weakness' base score by more than 0.1, the context score is set to that downstream impact score.
  3. Each weakness also tracks:
    • Downstream impact count – how many distinct impacts are reachable.
    • Downstream impact types – which categories of impact are reachable (e.g., Domain Compromise, Sensitive Data Exposure).
    • Leverage score – the ratio of the weakness' downstream impact scores to the operation’s total impact score. This leverage score tells you this weakness’ share of the overall risk.

Probability Union Formula

When combining multiple independent risk signals, NodeZero uses a probability union formula rather than a simple addition or maximum:

  1. Normalize each score from [0, 10] to [0, 1].
  2. Combine using: P(A or B) = P(A) + P(B) – P(A) * P(B).
  3. Scale the result back to [0, 10].

This models the probability of at least one risk factor resulting in compromise. As more risk factors accumulate, it naturally saturates toward 10.0, without exceeding the scale.

As an example, here is how NodeZero would scores of 5.0 and 7.0:

  • Normalized: 0.5 and 0.7.
  • Union: 0.5 + 0.7 – (0.5 x 0.7) = 0.85.
  • Final score: 8.5.

Business Risks

Business risks represent the real-world consequences that matter most to an organization. NodeZero defines these risks categorically, and maps them to specific types of hosts, users, and data, based on their role in the environment. When an entity along an attack path is associated with a business risk, its score is elevated by +2.0 (capped at an overall score of 10.0).

The system defines the following business risk categories:

  • Operational Disruption – Degraded performance, corrupted configurations, or blocked dependencies that cripple business processes.
  • Critical System Shutdown – Complete disabling of ERP (Enterprise Resource Planning), email, manufacturing, or other critical systems.
  • Revenue Interruption – Disabling revenue-critical systems; or halting product delivery, payroll, or customer transactions.
  • Software Delivery Disruption – Tampering with software pipelines, delaying releases, or inserting malicious code.
  • Supply Chain Breakdown – Vendor or logistics compromise, cascading into missed shipments and failed deliveries.
  • Leak of Sensitive Communications – Exposure of board-level slide decks, legal strategies, or HR files that could spark media crises.
  • Executive Fraud & Impersonation – CEO/CFO impersonation, enabling fraudulent approvals and reputational damage.
  • Regulatory Breach Penalties – Exposure of protected data, triggering HIPAA, PCI, or GDPR fines, audits, and disclosure obligations.
  • Theft of Intellectual Property or Research and Development – Stolen code, formulas, or designs, enabling competitors to replicate innovation.
  • Unauthorized Physical Access – Compromise of surveillance, alarm, or access control systems, enabling physical intrusion.

NodeZero associates these business risks with entities, such as:

  • Hosts (e.g., Domain Controllers map to Critical System Shutdown).
  • Users (e.g., Corporate Executives map to Executive Fraud & Impersonation.
  • Data types (e.g., Payment Card Data maps to Regulatory Breach Penalties).

Summary: What Drives a Weakness' Final Score

  • CVSS/H3-defined base score – Sets the baseline. This is the inherent severity of the vulnerability.
  • Downstream impact type – If exploitation leads to Domain Compromise (10.0),the context score rises to 10.0.
  • Attack paths to impacts – The context score is ultimately determined by the highest-severity impact reachable by an attacker.
  • Credential privilege levels along the path – Domain admin credentials elevate path scores to 9.8, compared to standard user credentials that are scored at 5.0.
  • Data exposure volume and sensitivity – Large volumes of sensitive data increase entity scores along the path.
  • Write access to data stores – Write access contributes additional risk signal, via probability union.
  • Business risk associations – When affected entities map to identified business risks, this adds a +2.0 boost.
  • Exploit success/failure – As noted above, some Horizon3 AI–discovered weaknesses lower the context score below the base score when exploits fail.

Key Takeaways

  1. Base scores are directly comparable to CVSS. CVE weaknesses use CVSS verbatim. Horizon 3 AI–discovered weaknesses are scored on the same 0–10 scale, using equivalent criteria.
  2. Context scores reflect real-world exploitability. These scores answer "What can an attacker actually achieve with this weakness in this environment?," rather than just "How severe is this vulnerability in isolation?"
  3. Scoring is driven by attack path analysis. A weakness that leads to Domain Compromise, through a chain of exploited credentials and lateral movement, will score higher than an identical weakness on an isolated system with no downstream impact.
  4. Business-risk mapping ties technical findings to organizational impact. Weaknesses that affect systems associated with regulatory data, critical infrastructure, or executive access are scored higher, to reflect the business consequences of a corresponding compromise.