Asset and Space Risk Scores
How Mondoo rolls up individual finding scores into asset risk scores and space risk scores.
Mondoo gives you a 0-100 risk score at every level of your infrastructure. Every level uses the same scale: higher means more risk; 0 means no risk.
| Score | What it measures | Where to find it |
|---|---|---|
| Finding risk score | One issue on one asset | Findings |
| Asset risk score | All findings on one asset, weighted by impact | Asset detail page |
| Space Risk Score | All findings across every asset in the space | Space dashboard and Initiatives |
How asset scores are calculated
When Mondoo scans an asset, it evaluates the asset against every enabled policy that applies (Linux policies for Linux assets, AWS policies for AWS accounts, and so on). The asset score is the weighted percentage of policy checks the asset failed, with each check weighted by its impact (Critical, High, Medium, Low).
The score is further adjusted by five risk dimensions that account for the real-world context of each asset: attack surface, blast radius, business priority, exploitability, and news.
You can change how Mondoo combines check results into an asset score by changing the scoring system used by a policy in your space.
Severity bands
Asset risk scores map to the same severity bands as individual findings:
| Score range | Severity |
|---|---|
| 90–100 | Critical |
| 70–89 | High |
| 40–69 | Medium |
| 1–39 | Low |
| 0 | None |
How the Space Risk Score is calculated
Asset risk scores roll up into the Space Risk Score: the average risk across every finding in the space. The Space Risk Score is what your Initiatives list directly improves.
To learn the exact formula and how exceptions are handled, read How the Space Risk Score Is Calculated.