100+ risk scores, and not one your remediator will act on

Count the cyber risk scores in your stack. A quick prompt from an LLM alone shows 100+ security tools shipping their own. Every scanner, posture tool, identity system, and network product comes with a number. Not one of them gets a remediator to stop their busywork and fix a finding.

We heard this in every conversation while building Axonius Exposures. Stack-ranking findings against each other works fine. The bar that decides whether a finding gets fixed is a different bar: convincing the person who owns the asset to break their plan and work the issue. A DevOps lead has a sprint, an IT admin has a rollout, and they will not stop for a score that means nothing to the work in front of them.

That bar (get the remediator to act) is what existing risk scores miss. They rank a finding on its technical severity, maybe a threat-intel signal, and stop there. They do not see:

• The asset the finding sits on (criticality, control state, network placement).

• The business that the asset serves (production, internet exposure, compliance scope).

• The person on the hook to fix it.

A CVSS 9.8 is two different jobs for two different remediators. A DevOps owner cares that anything in AWS tagged production stays patched, and an IT admin cares about hosts missing the endpoint controls that the team was supposed to deploy. The same finding, the same score, two different conversations. 

A leader asking "what should we fix first?" gets one answer from the scanner, another from the cloud console, and a third from the identity tool. None of them clears the bar with the team that owns the fix.

The missing piece: a score with all the right ingredients (security, asset, and business context) to get the remediator to act.

Yes… we built a risk score.

To solve that, we built a different kind of risk score. One that gets remediators to care.

The Axonius Risk Score runs on the asset and exposure intelligence built in Axonius (derived from 1,400+ adapters and 150+ security tools). We bring every security finding together with the asset and business signals next to it, and score risk in one place:

Every finding gets scored against three signals that a remediator cares about:

1. Security context. The technical severity reported by the scanner that found the issue (CVSS, EPSS, exploit availability, threat intel).

2. Asset context. Criticality, control state, network placement, compensating controls, relationships to other assets.

3. Business context. Crown jewels, production tier, internet exposure, compliance scope (PCI DSS, HIPAA), ownership.

You define the calculus. The Axonius Risk Score is customizable per finding and weighs any field Axonius holds: business unit, adapter, metadata, and asset relationships. On every discovery cycle, it recalculates the score according to your policies. When coverage drops, network placement changes, or a relationship moves, the score changes with it.

Every score arrives itemized. Next to the finding, the practitioner and the remediator both see the signals that produced the number and the weight on each: vulnerability severity is only medium, but the asset sits on production infrastructure with public internet access, in the PCI DSS network, and was named in a recent breach. The score changes from “black box" to something the remediator can actually evaluate and agree with. 

But what about day-one risk scoring?

A fully customized risk score requires stakeholder alignment, and alignment takes time. Meetings get postponed, and meanwhile, "what should we fix first?" gets the same shrug (¯\_(ツ)_/¯ ) it always got. To address that, we built the Axonius Vulnerability Score (AVS): a pre-built, triple-context score that ships out of the box.

Connect your adapters, and scoring begins. AVS codifies the patterns that repeat across security programs worldwide (production weighs more than dev, internet exposure weighs more than internal, compliance scope is non-negotiable), so the score works on the first discovery cycle. The default doesn't lock you in; as soon as you align with your stakeholders, you layer in your own signals and tailor from there.

Why we built the Axonius Risk Score

The Axonius Risk Score exists to make prioritization real, all the way to convincing the remediator they should care. Today, you have to solve for that (writing emails, gathering more data manually, calling in favors). That doesn't scale. So we built the technology to do it for you.

Four principles shape how we built the Axonius Risk Score:

A score should pass the remediator's test (otherwise, no action)

A score shouldn't stop at stack-ranking findings against each other. It should pass the bar that decides whether the remediator stops and acts. That takes context the scanner does not hold: who owns the asset, what business it serves, what controls already sit on it. When the score carries that context, the conversation moves from objection to teamwork. The DevOps lead sees why this finding outranks their sprint, not just that it does.

A score should reflect today, not the last review

A score shouldn't be a snapshot from a meeting two weeks ago. The asset's state changes: a host moves into the PCI DSS network, an EDR agent drops off, a service goes internet-facing, and a CVE becomes actively exploited by a threat actor. The score has to move with it. Recalculating every discovery cycle keeps the number honest, so the remediator works the right finding now, not the right finding from the last review.

A score should be reflective of your business (not only external scores)

A risk score should align to your business signals. Public risk scores (i.e., CVSS, EPSS, Threat Intelligence feeds) lack the context to prioritize what matters to you (the reason why a critical CVE on a honeypot is not critical and a Medium Python CVE in your data scientist’s laptop is). Our risk score is designed to scale from out-of-the-box templates to full customization, so your business context is always part of the calculation.

A score should bring transparency and trust

A practitioner shouldn't have to defend a number they can't break down (black box, opaque, not business aligned). Every score should itemize the signals that produced it and the weight on each, so a security pro can show a teammate or a stakeholder exactly why a finding outranks their other work. When a remediator can see exactly how the score was calculated, the conversation shifts from "why should I care?" to "let's figure out when I can fix it."

How the Axonius Risk Score fits your stack

Axonius Risk Score follows the same design principles as the rest of Axonius Exposures: ergonomic for security teams, ready to fit into your existing program.

• Works with what you have. Axonius Risk Score works out of the box with the 1,400+ adapters Axonius integrates with and any data they bring. No new agents, no network tap, no new scanners. 

• Works with risk scores from your existing tools. You already use Tenable VPR, Qualys TruRisk (or any other score), but want to add Axonius business and asset context to it? Go for it. We support any data that shows in Axonius; we got your back, no matter your stack.

• Ships with defaults, built to be remixed. A sensible starting policy ships on day one, so that you can remix any way you want to (scope, filters, weights, logic).

• It works for any asset or security finding in Axonius. You can apply Axonius risk scores for any asset and security finding in Axonius (doesn't need to be a CVE or device/software). Here's an example for identities:

Get started with the Axonius Risk Score

To get started with Risk Score, access your Axonius Dashboard, go to Exposures > Risk Score, and follow our instructions to set your policy (it’s that simple). For the out-of-the-box Axonius Vulnerability Score, go to any Security Finding and explore the "AVS" fields; point your prioritization rules at the field and overlay your own signals when you're ready.

If you're not an Axonius Exposures customer yet, have specific questions, or want to explore Axonius Exposures in depth, book a personalized demo with us.