Risk Score

​

Overview

Risk Score helps you understand how dangerous a vulnerability is in your environment. A vulnerability’s raw severity does not always reflect real-world risk. Some vulnerabilities are severe but not reachable. Others may have active exploitation in the wild, but limited impact in your runtime. Backline combines severity with contextual signals such as exploitability, reachability, and exploit activity to produce a single environment-aware score from 0 to 100.

​

Where to Find It

Open a vulnerability and navigate to: Vulnerability Side Panel → Risk Analysis In the Risk Analysis tab, Backline shows the Risk Score and a short summary above the detailed risk factor sections. If a Risk Score is not available, the score and summary are not shown. Backline also uses Risk Score in other places across the product:

• Vulnerability card: Risk Score replaces the severity badge
• Vulnerabilities page filter: You can filter vulnerabilities by Risk Score band
• Remediation prioritization: Risk Score helps determine what should be addressed first

​

What Risk Score Answers

Risk Score is designed to answer three key questions:

• How dangerous is this vulnerability in this environment?
• How urgently should it be remediated?
• Why is it prioritized over other vulnerabilities?

​

What Risk Score Measures

Risk Score represents the combined effect of:

• how likely the vulnerability is to be exploited
• how much impact exploitation could have
• whether the vulnerable code is actually used
• whether there is evidence of attacker activity in the wild

Backline models this as: Risk = Likelihood × Impact To make this practical, Backline evaluates four risk factors:

• Exploitability
• Reachability
• Exploit Signals
• Severity

​

How Risk Score Is Calculated

When all four factors are available, Backline combines them using fixed weights.

​

Standard Formula

Risk Score =

• 0.35 × Exploitability
• 0.30 × Reachability
• 0.20 × Exploit Signals
• 0.15 × Severity

The final result is clamped to 0–100 and rounded to the nearest whole number.

​

Why These Weights Matter

Backline gives the highest weight to the factors that best reflect real-world likelihood.

​

Exploitability — 35%

Exploitability is the strongest predictor of practical risk. If runtime exploitation is not possible, overall risk drops significantly.

​

Reachability — 30%

Reachability confirms whether the vulnerable code can actually execute. If the code is never used, the practical impact is often reduced.

​

Exploit Signals — 20%

Threat intelligence helps raise urgency when attackers are actively targeting the vulnerability.

​

Severity — 15%

Severity measures technical impact, but does not reflect whether the vulnerability is actually exploitable in your environment. That is why severity has the lowest weight.

​

Fallback Behavior When Data Is Missing

Not every vulnerability has all four factors available at all times. When one or more factors are missing, Backline recalculates the score using only the factors that are available and redistributes the weighting accordingly. This allows Backline to provide a meaningful score even when the analysis is incomplete, while still reflecting the lower certainty of the result.

​

Confidence

Risk Score also includes a confidence level that reflects how much supporting data was available for the calculation. Confidence is based on the sum of the weights for the factors that were present.

​

Confidence Examples

​

What You See in the Risk Analysis Tab

The Risk Analysis tab provides a quick summary and clear explanation of the score. It includes:

• Risk Score
• Risk band
• Risk summary
• Confidence
• Supporting factor sections such as Exploitability and Reachability

​

Why This Matters

Risk Score helps teams prioritize vulnerabilities based on real-world context instead of relying only on severity. This helps you:

• focus on the vulnerabilities that matter most in your environment
• distinguish between theoretical and practical risk
• explain why one vulnerability is ranked above another

​

Best Practices

Use Risk Score as the primary indicator of vulnerability priority, but always review the supporting factors when making important remediation decisions. A common workflow is:

1. Review the Risk Score and band
2. Read the summary to understand the main drivers
3. Check confidence
4. Review Exploitability and Reachability
5. Prioritize remediation based on both score and context

​

FAQ

​

Is Risk Score the same as severity?

No. Severity measures potential technical impact. Risk Score combines severity with contextual signals such as exploitability, reachability, and exploit activity to reflect real-world risk in your environment.

​

Why can a critical CVSS vulnerability have a medium Risk Score?

Because severity is only one factor. If the vulnerable code is unreachable, not exploitable in runtime, or not associated with attacker activity, the overall risk can be much lower.

​

Why does severity have the lowest weight?

Severity reflects impact, but not likelihood. Backline intentionally weights environmental and runtime signals more heavily to avoid over-prioritizing vulnerabilities based only on severity.

​

What does confidence mean?

Confidence reflects how much of the score is supported by available data. It helps you understand how reliable the Risk Score is.

​

Why is no Risk Score shown for some vulnerabilities?

If Backline does not have enough data to calculate a meaningful score, the Risk Score and summary are not shown.

​

Can Risk Score change over time?

Yes. Risk Score is recalculated when supporting inputs change, such as exploitability, reachability, threat intelligence, code changes, or dependency updates.

​

Related Documentation