Configure Risk Dimensions

Risk dimensions are how Mondoo adjusts each finding's risk score based on the context of the asset it appears on. Out of the box, all five dimensions are enabled with sensible default weights. You can tune them at the organization level to match how your team prioritizes risk; changes apply to every space in the organization.

For each dimension you can:

• Adjust its weight to make it count more or less toward the final score.
• Disable it to remove its effect entirely. Findings are scored as if the dimension doesn't exist.
• Add custom detections. Extra key-value pairs that the Business Priority dimension should treat as a match.

Open risk dimension configuration

Note: Requires Editor or Owner access to the organization.

1. In the Mondoo App, navigate to the organization.

2. In the side navigation, expand Security Model and select Risk Score Control.

   

3. Adjust weights, toggle dimensions on or off, or add custom detections as needed.

4. Select SAVE CHANGES. Changes apply immediately to every space in the organization.

When to tune

Some examples of when tuning makes sense:

• Your team doesn't track press coverage as a security signal. Disable the News dimension so trending CVEs don't get an automatic boost.

• You consider blast radius the dominant factor. Raise the Blast Radius weight so findings on databases and web servers dominate the list.

• You use a custom tag scheme for business priority. Add custom detections (such as tier:gold or criticality:high) so the Business Priority dimension picks them up alongside the defaults.

Override risk dimensions per asset

To correct Mondoo's automatic detection on individual assets or spaces, use annotations. See Override automatic detection.

See also

• Risk Dimensions
• How Mondoo Scores and Prioritizes Findings