Risk Dimensions
How Mondoo adjusts finding severity based on real-world asset context across five dimensions: attack surface, blast radius, business priority, exploitability, and news.
Not every asset with the same vulnerability deserves the same urgency. An internet-facing production database and a developer's test VM might share the same CVE, but the real-world risk is very different. Risk dimensions are how Mondoo captures that context, adjusting each finding's score based on the asset it affects.
The five dimensions
Mondoo evaluates every asset across five dimensions. Each can raise or lower the risk score of findings on the asset.
Attack surface
How exposed the asset is to the outside world.
| Level | Meaning | Effect on risk |
|---|---|---|
| Internet | Reachable from the public internet | Raises |
| Network | Reachable from an internal network | Neutral |
| Local | Has open ports, but only locally | Lowers |
| System | Service running but not listening on any network | Lowers |
| None | No detected attack surface | Lowers |
Blast radius
What kind of service the asset provides. High-value targets weigh more.
| Service type | Effect on risk | Examples |
|---|---|---|
| Database | Strongly raises | PostgreSQL, MySQL, MongoDB |
| Identity | Raises | LDAP, Active Directory, OAuth providers |
| LLM Agent | Strongly raises | Claude, Gemini, Codex |
| Open Connections | Strongly raises | A high number of open connections |
| Kubernetes | Raises | API server, kubelet, etcd |
| Keys | Neutral | Key vaults, HSMs |
Business priority
How important the asset is to your organization. Unlike the other dimensions, business priority is not auto-detected. You apply it with annotations.
Environment classification (default key: mondoo.com/business-priority):
| Value | Effect on risk |
|---|---|
business-critical | Raises |
dev | Lowers |
test | Significantly lowers |
CIA (Confidentiality / Integrity / Availability) rating (default key: mondoo.com/cia):
A CIA rating can only raise risk. Use it to flag assets that handle sensitive data; higher values contribute more.
| Value | Meaning | Effect on risk |
|---|---|---|
0 | Public information, no integrity or availability needs | Raises slightly |
1 | Internal information, basic integrity needs | Raises somewhat |
2 | Sensitive data, protected access required | Raises moderately |
3 | Critical data, strict CIA requirements | Strongly raises |
If both annotations are present, the one with the stronger effect wins.
Exploitability
How likely a vulnerability is to be exploited in the real world. Mondoo combines two industry sources:
- EPSS (Exploit Prediction Scoring System): the probability of exploitation in the next 30 days.
- KEV (Known Exploited Vulnerabilities): whether CISA has confirmed real-world exploits.
A Medium-severity CVE that's actively being exploited often outranks a Critical one with no known exploits.
Note: Exploitability applies only to vulnerability findings, not check failures.
News
Whether a vulnerability is trending in security media and social channels. High-profile CVEs attract more attack activity. News can only raise risk.
Note: News applies only to vulnerability findings, not check failures.
Override automatic detection
Mondoo detects most dimensions automatically from scan data, but detection isn't always right. A server behind a VPN might look network-accessible when it's really local; a database on a non-standard port might not be identified. Annotations let you correct this.
Annotations can be set at three levels:
- Organization. Applies to every asset in the org.
- Space. Applies to every asset in the space.
- Asset. Applies to a single asset.
Narrower scopes win: an asset annotation overrides a space annotation, which overrides an organization annotation. Cloud provider tags from AWS, Azure, GCP, and others are ingested as asset labels and work as overrides too.
Annotation reference
| Annotation key | Valid values | Dimension |
|---|---|---|
mondoo.com/attack-surface | internet, network, local, system, none | Attack Surface |
mondoo.com/blast-radius | database, llm-agent, identity, open-connections, kubernetes, keys | Blast Radius |
mondoo.com/business-priority | business-critical, dev, test | Business Priority |
mondoo.com/cia | 0, 1, 2, 3 | Business Priority |
mondoo.com/exploitability | -1.0 to 1.0 | Exploitability |
mondoo.com/news | -1.0 to 1.0 | News |
Examples
-
Correct a wrong exposure level. A server behind a VPN shows as network-accessible. Set
mondoo.com/attack-surface: localon the asset. -
Mark dev environments. Set
mondoo.com/business-priority: devon a whole space dedicated to development. Every asset in the space gets a lower score. -
Flag systems with sensitive data. Apply
mondoo.com/cia: 3to assets that process payments or PII so their findings surface first.
Tune dimension weights
You can adjust how strongly each dimension influences scores, or disable a dimension entirely. This is set at the organization level and applies to every space.
For each dimension you can:
- Adjust its weight to make it count more or less toward the final score.
- Disable it to remove its effect entirely.
- Add custom detections, such as additional key-value pairs that satisfy the business-priority dimension.
To make these changes, read Configure Risk Dimensions.
Why it matters
Internet-facing database vs. test VM. A critical CVE appears on both an internet-facing PostgreSQL database and a developer's test VM. Without dimensions, both findings score similarly. With dimensions, the database climbs (internet exposure, database blast radius, business-critical) and the VM drops (local-only, test environment). The database lands in Top Actions; the VM falls down the list.
Trending CVE on a payment server. A newly disclosed CVE starts trending and shows high exploitation activity. On a server annotated with mondoo.com/cia: 3, both the exploitability and news dimensions raise the score, and the business-critical classification adds more. The finding jumps to the top of the priority list without any manual intervention.