Skip to main content
Security Posture Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Asset Importance

Ingrid

Asset Importance estimates the significance of a given asset (IP, domain, hostname, mobile application) to an organization. This importance is recalculated daily and may fluctuate as new data is processed. Importance levels range from Low to Critical, with specific assets categorized based on several key criteria.

Related data:

Data Sources Used

Bitsight calculates asset importance using multiple data types, including:

  • Passive DNS Data: Tracks DNS lookups to assess asset activity and usage.
  • Web Crawling Data: Extracts information about web applications and services.
  • Internet-Wide Scanning: Captures details on services and protocols exposed by assets.
  • Device Activity Data: Identifies usage patterns of workstations and internet-connected devices.
  • Threat Intelligence Data: Provides insights into compromised systems and botnet infections

These datasets provide insights into asset usage and interaction patterns, feeding into the algorithm that determines importance.

Importance Criteria

A number of factors are used in the algorithm to determine how assets are ranked by relative importance to the organization. The system regularly incorporates new data and recalculates it into asset importance daily. As a result, the calculated importance could change from day to day because of changes in the underlying inputs.

  • We advise creating a user-assigned asset importance if you require a static asset importance.
  • An asset of the highest importance within a subsidiary may not necessarily have a high importance relative to the other assets within a larger parent.
System Usage

The most notable contribution is the measurement of a system’s usage. The more distinct machines that are accessing a particular asset on the Internet are, the higher the importance of the asset. This is agnostic of the service or protocol used to access that system.

Egress IP

The IP address where the traffic on an organization’s endpoint devices exits their network onto the Internet are of higher importance.

Information Submission

Underutilized systems that contain sensitive data may pose a security risk, such as B2B applications or latent test or development systems. This factors in the website’s support for the user’s ability to submit information. It could take the form of mailing list enrollments, registration, login credentials, or any situation where the user is providing information to the server.

Service Classification

The type of service made available is evaluated, and the importance of its function is considered in its importance.

Example Service Categories: “Authentication protocols,” “Databases,” “System remote access,” “Network remote access,” “Communication services,” “Network infrastructure,” “ICS protocols,” “File exchange,” and “Mail systems,” among others.

Special Certificates

Systems that are provisioned with special certificates, known as “Extended Validation (EV) certificates,” are of high importance.

These metrics are processed through a weighted algorithm that assigns a rank to each asset, categorizing it into Low, Medium, High, or Critical importance.

Service Classification Importance

The type of service detected on an IP plays a major role in determining how important that asset is. Bitsight classifies services into predefined service groups, which are then mapped to an Asset Importance Category based on how risky they are when exposed.

Only the most sensitive service group funf on an IP is used to assign its Service Criticality, an input into the asset's final importance.

Note: Each IP asset is classified into one service group only, based on the most sensitive service detected. 

This category helps explain why an asset is scored as high, moderate, or low importance, even if other signals (like DNS usage or infection) are low.

Importance Category Service Group Example Protocols Weight Meaning
Minimal Web Content HTTP, HTTPS, UPnP, Line Printer Daemon 0 Public-facing services for content delivery. Low sensitivity unless paired with login or data entry functionality.
Network Time Protocol NTP 0.02 Time sync across systems. Low risk unless misconfigured; can be abused in DDoS amplification.
File Exchange FTP 0.05 Legacy file transfer protocol. Often unencrypted and misconfigured, posing exposure risks.
Network Infrastructure DNS, DHCP, SNMP, BGP, RIP 0.1 Core networking services. Not sensitive alone but useful for attackers in recon or reflection attacks.
Low Authentication Protocols LDAP 0.2 Manages access to users and apps. Exposure can reveal credentials, enable impersonation, and allow unauthorized access.
System Remote Access SSH, RDP, Telnet, VNC, SMB 0.3 Provides admin access. Frequently targeted for brute force or lateral movement.
Moderate Industrial Control Systems BACnet, Niagara Fox 0.4 Control physical/operational systems. Exposure may result in disruption or safety risks.
Network Remote Access IKE, IKE-NAT-T, PPTP 0.5 VPN and tunneling protocols. Can grant access into internal networks if exposed.
High Communication Services SMTP, POP3, IMAP, SIP, XMPP 0.6 Manage messaging and email. Exposure may lead to spam abuse, phishing, or data leaks.
Databases MySQL, PostgreSQL, MongoDB, Redis, Memcached 0.7 Store sensitive or regulated data. Exposure presents a direct path to data breaches or exfiltration.

The importance value of each service contributes to the overall asset ranking, with higher values assigned to more critical functions such as databases and communication services.

Domain-Based Asset Criteria

The following criteria are used for domain-based assets:

  • System Usage
    • Measures how frequently distinct machines access a domain. This is calculated as the relative frequency of DNS lookups, with more frequently accessed domains given higher importance.
  • Information Submission
    • Indicates whether the domain supports user-submitted data, such as forms for registrations or logins. Domains with user-submitted data are assigned a higher importance.
  • Special Certificates
    • Recognizes the presence of Extended Validation (EV) certificates, which provide added security assurance and increase the importance score.

The final importance score for domain-based assets prioritizes System Usage as the main factor. If the domain is frequently accessed, it’s assigned a higher weight, with additional weight added from Information Submission and Special Certificates where applicable.

Asset Importance Evidence Insights

To provide greater transparency into how asset importance is calculated, the UI displays the underlying criteria used to compute importance scores. These data signals contribute to the calculated importance of each asset.

Only the criteria relevant to the asset type (e.g., domain, IP, Android app, iOS app) are shown in the UI. If no data is available for a given asset, this means we are still collecting the necessary signals. In such cases, the asset receives a default “Low Importance” score.

Domains:

Attribute Field Value Meaning
System Usage DNS Queries Numeric (e.g., 1.2K, 4.6M) Measures how often this domain is accessed via DNS. High counts indicate the domain is actively used and more likely to support critical services or exposure points.
Max DNS Queries (Company) Numeric (company benchmark) Shows the highest DNS volume across any domain in the same company or group. Used to calculate visibility and compare domain importance.
Visibility Ratio Percentage (0%–100%) Indicates how visible this domain is compared to your most-used domain. Higher ratios point to greater exposure and importance in the context of your digital footprint.
User Interaction User Input Enabled Yes / No Tells whether users can submit data to this domain (e.g., login forms, contact fields). Domains accepting input are more sensitive and should be prioritized for protection.
Certificates Extended Validation Yes / No Reflects if the domain uses an Extended Validation (EV) certificate, confirming verified organizational ownership. These are typically used on trusted, high-value services.
Visibility Exposure level Category: None, Minimal, Low, Moderate, High Reflects a combination of DNS traffic, input acceptance, and certificate trust. Even a domain with low traffic may be marked as “Moderate” or “High” if it accepts input or has a verified certificate. Use this to prioritize lesser-known but potentially sensitive assets.

Exposure levels for domains:

Category Typical Characteristics Value Meaning
None No DNS or services observed Likely inactive or decommissioned. No prioritization needed unless newly added.
Minimal Very low DNS, no input or certs Placeholder or dormant domains. Monitor for changes, not critical.
Low Some traffic, partial trust or interaction Possibly backend or support assets. Moderate relevance.
Moderate Regular traffic, some interaction, valid certs Consistently used domains. Should be part of risk management plans.
High High DNS, input accepted, EV cert present Business-critical or externally exposed domains. Prioritize.

IP addresses:

Attribute Field Value Meaning
Security Observations Infection Events Numeric (e.g., 36, 2.5K) The number of times this IP was seen in threat intelligence data. Frequent infections suggest recurring compromise, risk, or abuse.
Max Infection Events (Company) Numeric (company benchmark) The highest infection count seen for any IP in the company. Used to calculate relative infection severity across assets.
Infection ratio Percentage (0%–100%) Shows how compromised this IP is relative to the company’s most infected asset. Higher values signal greater risk and prioritization need.
Hosts Importance Category: None, Minimal, Low, Moderate, High Reflects how much importance this IP inherits from connected domain hosts. Even quiet IPs may be critical if linked to important systems or services.
Visibility Ratio Percentage (0%–100%) Shows how visible the IP address inherited domain hosts are compared to your company's most-accessed domains. A higher value means more business relevance.
Services Criticality Category: Minimal, Low, Moderate, High Identifies the most critical service exposed by this IP. Some services (like databases) carry higher risk if exposed. Only the most sensitive one is counted.
Visibility Score Exposure level Category: None, Minimal, Low, Moderate, High The overall importance level of this IP, calculated from services, compromise, and inheritance. Helps identify IPs most at risk or most central to operations.

Exposure level for IP addresses:

Category Typical Characteristics Meaning
None No open ports, no activity Likely offline or internal-only. Not externally exposed.
Minimal Low-risk background systems Limited potential for misuse. May not require action.
Low Some exposure or inherited importance Often shared or secondary infrastructure. Monitor based on role.
Moderate Sensitive services or steady exposure High enough to impact operations if compromised. Prioritize when linked to core services.
High Critical services exposed (e.g., DB, auth) Must be prioritized. Represents direct risk to business continuity or data.

Mobile Apps: Android

Attribute Field Value Meaning
Application Downloads Numeric (e.g., 36, 2.5K) Total number of downloads for this specific Android app, based on Google Play Store data. A high number indicates greater user reach, exposure, and potential business impact.
Company Highest Numeric Highest download count across all Android apps associated with the company. Used as a benchmark to assess relative importance of other apps.
Lowest Numeric Lowest download count across Android apps in the company. Helps identify niche, underused, or possibly outdated applications.
Applications Numeric Total number of Android apps published by the company. Indicates breadth of mobile footprint and Play Store presence. A higher number often means wider product reach or internal app diversity.

Mobile Apps: iOS

Attribute Field Value Meaning
Application Downloads Numeric (e.g., 36, 2.5K) Total number of ratings received by this iOS app, used as a proxy for popularity. Apple does not expose download counts, so this reflects user engagement and reach.
Company Highest Numeric Highest rating count among all iOS apps in the company. Used as a baseline to measure visibility and comparative importance.
Lowest Numeric Lowest rating count across iOS apps in the company. Helps identify underutilized or internally scoped apps.
Applications Numeric Total number of iOS apps published by the company. Reflects the size of the organization’s iOS presence in the Apple Play Store. A higher number may suggest wider product or internal tool distribution.

IP-Based Asset Criteria

The following criteria are used for IP-based assets:

  • System Usage
    • Measures how frequently an IP is accessed and assigns higher importance to more frequently accessed IPs.
  • Egress IP
    • Identifies IPs that are primary exit points for traffic from an organization’s network, especially those associated with endpoint devices. Egress IPs are given additional weight if they show high activity or signs of infection.
  • Host Extension
    • Integrates the importance scores from related host assets, allowing an IP to inherit the associated host's highest importance score.
  • Service Score
    • Assesses the importance of services running on the IP, such as databases or authentication protocols. It uses the weights described above.

The final importance of each IP-based asset is determined by using the highest value of these four criteria. Based on the calculated results, each asset is then mapped to a specific importance category.

Importance categories and their calculated numerical values:

Critical

0.1 and above

High

0.01 to 0.099

Medium

0.001 to 0.0099

Low

Below 0.001

None
null

The algorithm assigns an importance score by combining weighted values for specific criteria tailored for domain-based and IP-based assets. This separation ensures that each asset type is evaluated using relevant factors, with scores helping prioritize critical assets. The threshold filters out low-importance assets, focusing the results on those of higher importance.

Mobile Apps Asset Criteria

The importance of an app is determined by its number of downloads (for Android) or ratings (for iOS) compared to other apps from the same company.

  • Special Cases
    • If the number of downloads / ratings is missing -> Medium 
    • If the number is zero -> Low 
    • If the company only has one app -> Medium
  • When apps have similar numbers (the biggest and the smallest are not very far apart - less than 100x difference), the app’s importance depends on how many times bigger it is than the smallest one:
    • Less than 2x -> Low
    • 2-5x -> Medium
    • 5-10x -> High
    • 10x or more -> Critical
  • When apps have very different numbers (100x or more gap), the app’s importance depends on what share it has of the most popular one:
    • Less than 0.1% -> Low
    • 0.1-1% -> Medium
    • 1-10% -> High
    • 10% or more -> Critical

The algorithm assigns an importance score by combining weighted values for specific criteria tailored for domain-based and IP-based assets. This separation ensures that each asset type is evaluated using relevant factors, with scores helping prioritize critical assets. The threshold filters out low-importance assets, focusing the results on those of higher importance.

Sampling and Thresholds in the Asset Importance Algorithm

The asset importance algorithm includes a sampling mechanism to ensure that the most relevant assets are highlighted. This approach helps users focus on high-impact assets by filtering out low-importance items and maintaining efficient processing.

  • Limit on Assets per Entity: To maintain performance and clarity, there is a limit of 500,000 assets per entity. This cap helps prevent the system from being overwhelmed by an excessive number of assets while still providing a comprehensive view of high-priority infrastructure. For large organizations with extensive digital footprints, this limit balances detail with usability, ensuring that the list remains manageable and actionable.

Assigned Importance

Assigned Importance Types

User Importance

A user-assigned asset importance.

Users may assign an importance level to assets in their SPM companies (My Company, My Subsidiary, and subscribed companies in the same ratings tree as the My Company).

Calculated Importance

A Bitsight-calculated asset importance.

  • The importance of user-assigned assets replaces the Bitsight-calculated asset importances any time importances are referenced (e.g., Assets, Asset Risk Matrix on the remediation tab, Attack Surface Analytics charts).
  • User-assigned asset importance are contained within the entity in which they were assigned; They do not translate across the tree.
  • User-assigned importances are visible to all users in your organization who can see the company where the asset importance was customized. They are not visible to any third parties monitoring your organization.

User-Assigned Importance Labels

User-assigned asset importances are labeled with a Person User icon near the asset importance section in the Assets tab. The following additional details are included:

Calculated Importance

The Bitsight-calculated asset importance.

Importance Updated

The date when the importance was assigned.

Updated By

The name of the editing user.

User Importance

The user-assigned asset importance.

  • October 21, 2025: Added Mobile Apps Asset Criteria; Removed Importance Threshold for Hosts
  • December 12, 2024: Added Data Sources Used, Importance Criteria, Service Classification Importance, Asset Importance Algorithm, and Sampling and Thresholds in the Asset Importance Algorithm sections; Described why assets appear and disappear.
  • September 26, 2023: Data review and calculation frequency and how they affect importance criteria; Separated user-assigned asset importance instructions.
  • November 30, 2021: Linked to the Assets page overview.
Was this article helpful?
9 out of 11 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.