Lumu Discover - Risk Score
The Risk Score is a dynamic metric ranging from 0 to 100 that quantifies your organization's External Attack Surface Risk with precision. It moves beyond simple vulnerability counting to measure the specific depth of actionable intelligence currently available to adversaries for planning and executing an attack. The governing principle is visibility, as the exposure of your assets, credentials, and vulnerabilities increases, the barrier to entry for a successful breach significantly decreases. By illuminating your infrastructure through an adversarial lens, the Risk Score transforms abstract threats into a clear indicator of breach probability, providing the critical context needed to anticipate and neutralize attacks before they occur.
This system transforms complex, fragmented threat data—from active malware and stolen credentials to critical vulnerabilities—into a single, easy-to-understand metric. By synthesizing these critical signals, the Risk Score empowers your organization with strategic decision-making to prioritize resources effectively, shifting focus from general monitoring to targeted, data-driven remediation of the most critical exposures.
Understanding your score
The score places your organization into one of five categories. This classification helps you immediately understand the urgency of your situation and the resources required for remediation.
| Score Range | Category | Operational Implication | Recommended Response |
| 0-19 | CRITICAL | Immediate Danger. This score indicates the presence of active threats, such as malware infections actively harvesting data. Access to your network is highly probable. | Emergency Response. Escalate immediately. Focus resources on isolating infected devices and resetting compromised credentials to sever attacker access. |
| 20-39 | HIGH | Serious Exposure. Your attack surface is highly visible, with clear exploitation paths available through unpatched systems or leaked credentials. | Prioritize Remediation. Allocate immediate resources to patch high-risk vulnerabilities and secure exposed accounts to reduce the attack surface. |
| 40-59 | MEDIUM | Moderate Risk. While not immediately critical, gaps in your defense exist. These weaknesses degrade your security posture and offer potential entry points if left unaddressed. | Plan Remediation. Integrate fixes into your regular maintenance cycles. Review infrastructure hygiene to close non-critical gaps. |
| 60-79 | LOW | Minor Exposure. Your organization maintains a relatively secure posture with limited actionable intelligence available to attackers. | Routine Monitoring. Continue addressing minor issues as they arise within standard operational cycles. |
| 80-100 | MINIMAL | Optimal Posture. Your external footprint is minimized, making your organization a hard target for adversaries. | Maintain. Sustain current monitoring and security practices to ensure continued protection. |
How the score is calculated
The score is an aggregation of five specialized indices. Each index measures a specific type of threat, weighted by how critical it is to your security.
How time affects the score
The Risk Score incorporates a Time Decay mechanism to ensure the score reflects your current threat landscape rather than historical data. Based on how time-sensitive a threat is, they will be qualified in the following Decay Factors:
- Heavy Decay: Threats in these categories are extremely time-sensitive. A credential stolen yesterday is an immediate crisis; one stolen three years ago is less likely to be valid. Therefore, the system aggressively reduces the impact of older findings in these categories.
- Moderate Decay: Software vulnerabilities remain dangerous until patched, but newer vulnerabilities (Zero-days or recently disclosed CVEs) often lack established defenses, making them higher risk. The system weights newer CVEs more heavily to drive urgent patching.
The scoring system also applies different temporal logic depending on the nature of the data being analyzed classifying it as Dynamic and Static Risk.
- Dynamic Risk: Applies to the Infrastructure and Typosquatting indices. These indices represent living states that are subject to modification. Therefore, the scores reflect the latest scan results to accurately display the status of the current network configuration.
- Static Risk: Applies to Stealer, Vulnerability, Exposure indices. These indices represent events that happened at a single point in time. Taking into account that once data is leaked, it is out there permanently. The scoring system applies the Time Decay mechanism. While the data remains a threat, the immediate risk level gradually reduces as the information becomes stale or passwords are changed.
Score indices
| Index Name | Weight | Description | Decay Factor |
| Stealer Index | 40% | It tracks active infostealer malware on devices associated with your users that are harvesting data like passwords and cookies. This is the most critical threat because stolen credentials provide adversaries with authorized, direct access to your systems. | Heavy |
| Vulnerability Index | 20% | Tracks known security weaknesses (CVEs) in your internet-facing systems, such as unpatched software or outdated infrastructure. These serve as open windows or exploits that attackers can use to break into your network. | Moderate |
| Infrastructure Index | 20% | Measure the complexity and hygiene of your external network, including risky open ports, subdomain sprawl, and asset dispersion. A complex, disorganized attack surface creates more hiding spots and entry points. | - |
| Exposure Index | 15% | Looks for corporate credentials (emails and passwords) found in public data breaches and leaks. Adversaries use these lists for credential stuffing attacks to take over accounts. | Heavy |
| Typosquatting Index | 5% | Find fraudulent domains that mimic your brand (e.g., my-company.com vs mycompany.com). These domains are used primarily for phishing attacks against your employees and customers. | - |
How to improve your score
To lower your risk score effectively, prioritize your actions based on index weights and leverage automated response tools where available:
-
Hunt Infostealers (Stealer Index)
Since this index accounts for 40% of your total score, cleaning infected endpoints is the most impactful way to improve your security posture. Locate infected assets immediately to prevent further credential exfiltration.
Automate defense: If not already implemented, deploy Lumu Defender. This allows for an automated response to malicious command-and-control (C2) communications, mitigating third-party risks in real-time.
- Secure Accounts (Exposure Index)
If the system detects recent leaks, immediate action is required to prevent unauthorized access. Force password resets for affected users and ensure Multi-Factor Authentication (MFA) is active.
Forensic analysis: Use Lumu’s detection capabilities to monitor for Unusual Login or Brute Force incidents. These are often the aftermath of a leak; identifying these patterns helps confirm if a known data leak or infostealer is the root source of an active attack.
- Patch Critical Systems (Vulnerability Index)
Focus on internet-facing assets to shut down easy entry points for attackers. Prioritize vulnerabilities with known exploits that match your specific infrastructure profile.
- Audit Your Network (Infrastructure Index)
Reduce your attack surface by maintaining strict hygiene across your digital footprint. Close unused ports and decommission old test servers that no longer serve a business purpose.
Get an AI Summary
Related Articles
Lumu Discover
Lumu has an array of collectors and integrations that allow you to monitor your internal assets; however, every organization has exposed systems, services and resources that have unique vulnerabilities and require specialized analysis. For this ...Lumu Discover Infostealer Playbook
Every organization has external assets that are necessarily exposed—not only to customers and users but also, unfortunately, to malicious actors. Lumu Discover provides insights into the presence of infostealers within your external surface. However, ...Lumu Discover Vulnerabilities Response Playbook
Most organizations have external assets that are necessarily exposed—not only to customers and users but also, unfortunately, to malicious actors. Lumu Discover provides insights into vulnerabilities within your external surface. However, addressing ...Lumu Discover Similar Domains Playbook
Lumu Discover is continuously looking for domains on the Internet that attempt to mislead your customers. Taking down these domains is of utmost importance to prevent Based on the NIST Special Publication 800-61 incident response life cycle, this ...Lumu Discover EAS Reports
Understanding and managing your organization's external attack surface is crucial for maintaining a strong cybersecurity posture. To support this, Lumu Discover provides comprehensive downloadable reports that offer in-depth visibility into your ...