How Mondoo Scores and Prioritizes Findings
How Mondoo turns each finding into a 0-100 risk score that drives prioritization.
A static severity rating ("this CVE is Critical") doesn't tell you whether to fix it before lunch or next quarter. Mondoo turns every finding into a contextual risk score that reflects how dangerous the finding actually is on the specific asset where it appears. Those scores power Top Actions, the focused list of fixes that will most improve your security posture.
What is a finding?
A finding is a potential security issue Mondoo discovers during a scan. There are three kinds:
- Misconfigurations detected by failed policy checks
- Known vulnerabilities (CVEs) in software installed on the asset
- Vendor advisories (advisories) published for software on the asset
Every finding shows up in the Mondoo App on each asset where it appears.
How a finding is scored
Each finding receives a risk score from 0 to 100 (higher means more risk). The score is built in two steps.
Step 1: Base score
The base score reflects the severity of the issue in isolation.
| Finding type | Base score source |
|---|---|
| Misconfiguration | The impact of the failed check in a Mondoo policy (Critical, High, Medium, Low) |
| CVE | The CVSS score |
| Advisory | The CVSS score of the underlying vulnerability |
Step 2: Risk dimensions
Base scores are blind to context. A Critical CVE on an internet-facing production database is not the same threat as the same CVE on a developer's laptop behind a VPN. Mondoo adjusts the score across five risk dimensions:
| Dimension | What it captures |
|---|---|
| Attack surface | How exposed the asset is (internet, network, local, system, none) |
| Blast radius | What kind of service the asset runs (database, web server, identity, storage, Kubernetes, keys) |
| Business priority | Annotations like business-critical or CIA ratings that you apply |
| Exploitability | EPSS probability and CISA KEV status (vulnerabilities only) |
| News | Whether the vulnerability is trending in the media (vulnerabilities only) |
Dimensions can raise or lower the score. An internet-facing production database with a trending exploit climbs the list; the same CVE on an isolated test VM falls. Read Risk Dimensions for the full model, including how to override Mondoo's automatic detection.
Severity bands
Risk scores map to severity bands you'll see throughout the Mondoo App:
| Score range | Severity | Meaning |
|---|---|---|
| 90–100 | Critical | Extreme risk |
| 70–89 | High | Significant risk |
| 40–69 | Medium | Moderate risk |
| 1–39 | Low | Minor risk |
| 0 | None | No risk |
Blast radius
The blast radius of a finding is the number of assets in the space where the finding appears. A misconfiguration on 500 assets has a much larger blast radius than the same misconfiguration on a single sandbox host. Use blast radius to compare two findings with similar risk scores: fixing the one with the wider blast radius removes risk from more assets at once.
From individual scores to Top Actions
Mondoo combines every finding's risk score across every asset in the space to identify which findings, if fixed, would most improve your overall posture. The result is Top Actions, a curated list of the 30 highest-impact fixes.