How Mondoo Prioritizes Security Findings
Mondoo helps you prioritize fixes by moving beyond static severity ratings. We analyze every finding through the lens of your unique environment, calculating a contextual Risk Score for each one. These scores then power our Top Actions feature, a focused list of the most impactful remediations for your infrastructure.
This allows you to spend less time sifting through thousands of alerts and more time closing the security gaps that matter most.
What Are Security Findings?
Security findings are potential issues that can make your infrastructure vulnerable to attack. The Mondoo Console reveals security findings in all the assets you integrate with Mondoo. Findings include:
- Misconfigurations that can expose your infrastructure to attackers
- Known vulnerabilities (or CVEs, common vulnerabilities and exposures) in the software installed on your assets
- Advisories published by software makers to alert the public about gaps in their products
How Mondoo Calculates Risk Score
The foundation of prioritization is an accurate, contextual Risk Score. Mondoo assigns a score of Low, Medium, High, or Critical to each finding by combining a base score with contextual risk factors.
Begin with a base score
Each finding has a base score associated with it.
- For misconfigurations, the base score comes from the impact score of the failed check in a Mondoo policy.
- For CVEs and advisories, the base score is the CVSS score.
Factor contextual risk
Base scores evaluate a threat in a vacuum. Mondoo makes them more accurate by applying contextual risk factors that are unique to your assets and environment.
| Risk Factor | Description | Affect on Risk Score |
|---|---|---|
| Internet-facing | The asset has a public IP address and is exposed to the internet. | Raise |
| Remote exploit | The vulnerability can be exploited remotely without user interaction. | Raise |
| Accessible keys | Key or credential information is exposed on the asset. | Raise |
| In use | The asset has a running service or is in active use. | Raise |
| End-of-life (EOL) | The asset is running an EOL operating system. | Raise |
| Database | The asset hosts a running database. | Raise |
| Defensive | The asset has defensive countermeasures (SELinux or AppArmor). | Lower |
Blast Radius
Mondoo uses the number of times a finding is present in the space to calculate a blast radius for the finding.
From Risk Score to Top Actions
While individual risk scores are important, the key to efficient remediation is understanding collective impact. Mondoo analyzes the risk scores of all findings across all your assets to identify which issues, if fixed, will provide the largest measurable improvement to your security posture.
These critical issues are presented to you in a curated list called Top Actions.
To learn how to use this powerful feature and understand the metrics behind it, see our guide to Prioritizing Risk with Top Actions.