⇤ How is the Diligence Risk Category Calculated?
The Insecure Systems risk vector assessment is based on the supported/unsupported status and the level of risk that has been introduced to an organization.
| Concept | Behavior |
|---|---|
|
A default risk vector grade is assigned. |
Default: The rating is positively impacted if there are no findings for this risk vector. |
|
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
| Weight | Percentage (out of 70.5% in Diligence): 2.5% |
Evaluation
Insecure Systems findings are evaluated as WARN, BAD, or NEUTRAL. An overall letter grade is calculated, using the evaluations of individual findings.
Software versions that cannot be determined or are unsupported, but still receive security fixes are evaluated as “NEUTRAL.” These items do not affect the Insecure Systems grade, but should be resolved.
See finding messages:
- December 21, 2025: Updated language to align with product updates.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Linked to no findings definition.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Feedback
0 comments
Please sign in to leave a comment.