A risk score is only useful if you can explain it. For years, ours did the job, but explaining it was harder than it should have been. With the new Mondoo console, we're shipping a scoring model that solves that problem head-on: Risk Dimensions.
This post is the deep dive we promised. If you read the UI launch post and wondered "okay, but how does the scoring actually work now?", this is for you.
The old model: Configurable, but opaque
The old system started from a finding's base score, usually CVSS, and then nudged it up or down based on a long list of Risk Factors. Is the asset exposed to the internet? Bump it up. Is there a known exploit in the wild? Bump it up. Is the affected service not running? Bump it down. And so on.
It was fully configurable, and the underlying math was sound. The problem was the experience of using it. A final score of 7.4 was the result of a dozen different factors compounding, and even the risk invoice, which listed every contributing factor, didn't really resolve the question users kept asking: Why is this the number?
If you couldn't explain it to your CISO in a sentence, the score wasn't doing its job.
The new model: Five dimensions, plain language
Risk Dimensions replace that long list with five things any security person can hold in their head at once. Every finding and every asset is now scored across:
- Business criticality
- Attack surface
- Blast radius
- Exploitability
- News
That's the whole model. Each dimension has its own rating, and the final score is what you get when you combine them. You can see all five at a glance, and you can defend the result in a meeting without pulling up a spreadsheet.
Let's walk through what each one actually means.
Business criticality: Should you care about this system at all?
Business criticality answers the most important question first. Does this asset host a part of your service that customers depend on? Does it hold user data? If it goes down, does the business stop running? A perfectly exploitable vulnerability on a forgotten test box is a very different problem from the same vulnerability on the database behind your billing pipeline. Business criticality is what makes that difference visible.
We've expanded what Mondoo can detect on its own here, and made the rest configurable to fit how you already manage this information. Pull it from your service catalog, from cloud tags and annotations, from CMDB metadata, or set it manually. If you're working toward a compliance program with CIA (confidentiality, integrity, availability) levels per system, Mondoo can help you build and maintain those classifications as part of the same flow.
Attack surface: Can an attacker actually reach it?
Attack surface looks at how reachable the affected component is. Is it exposed to the open internet, reachable only from internal networks, or locked behind strict controls? Crucially, this is correlated with the specific finding, not just the asset.
Consider a vulnerability in an nginx module. If that module isn't on the attack path of the running service, the attack surface for that finding is restricted, even if the host itself is internet-facing. That kind of nuance is what stops a noisy CVE from monopolizing your engineering attention when it doesn't actually expose you.
Blast radius: What else falls if this one falls?
Blast radius is the other side of the coin. If this component gets compromised, how far does the attacker get? Can they pivot to other systems? Reach credentials? Get to customer data? A vulnerability on an isolated container has a very different blast radius from one on a node that holds your Kubernetes secrets.
Together, attack surface and blast radius tell you the two halves of the exposure story: How does the attacker get in, and what do they get to once they're inside?
Exploitability: Is this real, and how fast can it be used?
Exploitability tells you whether a finding is a theoretical problem or a practical one. Is there a published exploit? A working proof of concept on GitHub? Active campaigns in the wild? Threat-actor chatter? Exploitability is what separates "patch when convenient" from "patch tonight."
News: Is the world paying attention?
News rounds it out. Some vulnerabilities are practically unknown, others are on the front page of every security publication for a week. We pull from IT news outlets, social media, and security communities to surface the ones that already have momentum. This isn't a hype score, it's a signal: When a vulnerability is trending, your attackers are reading the same articles your defenders are.
How it all comes together
Each dimension gets a rating: None, Low, Medium, High, or Critical. "None" is a real finding, not a missing one. It means we've evaluated the dimension and there's nothing to worry about: A dev system with no downstream impact has a blast radius of None. A service that's fully isolated from any network has an attack surface of None. That's information you can act on, the same way a High or Critical is.
Internally, those labels map to precise numbers, and the numbers combine into the final risk score for the finding and the asset. The labels are what you read in the UI, the numbers are what the system computes on.
And because no two organizations weigh these the same way, you can adjust the weight of any dimension to match your business. If your environment is mostly internet-facing services, you can lean harder on attack surface. If you're a regulated industry where data sensitivity dominates, you can weight business criticality up. The defaults are sensible. The knobs are there when you need them.
What this changes day to day
The biggest change isn't the math, it's the conversation. Risk Dimensions give you a vocabulary for risk that everyone in the room understands. "This is critical because the blast radius is high and there's a working exploit" is the kind of sentence that ends arguments rather than starting them. It also makes it dramatically easier to communicate the value of the work your team is already doing.
Rolling it out
As we roll Risk Dimensions out across environments, please work with your customer success contact to understand how the new scoring lands in your specific setup. The dimensions, the weights, and the business criticality sources are all configurable, and the right configuration for your organization is a conversation worth having early.
If anything in the new scoring surprises you, support@mondoo.com is the fastest way to reach us. We'd rather hear about it now, while the model is fresh and tunable, than later.
Risk Dimensions are how Mondoo scores risk going forward. Cleaner, more transparent, and built so the score is something you can hand to a CISO, an auditor, or an engineer and have all three understand the same thing.
