The Threat Score is a single number between 0.0 and 10.0 that represents your external attack surface's current risk posture. It is not a pass/fail grade — it is a continuous signal designed to move over time as your security posture improves or degrades.
This post explains exactly how it's calculated and how to use it operationally.
Why a Unified Score?
Security programs generate enormous amounts of data: hundreds of findings, dozens of assets, multiple severity tiers. The challenge is turning that data into a signal that executives, engineers, and security teams can all interpret the same way.
The Threat Score solves this by collapsing multi-dimensional risk data into a single operationally useful number while preserving the ability to drill into components.
It is modeled on CVSS (Common Vulnerability Scoring System) but extended to account for asset exposure and attack surface breadth — dimensions that CVSS does not consider.
The Scoring Formula
The Threat Score is computed as:
ThreatScore = Σ(FindingSeverityWeight × ExposureFactor) / NormalizationConstant
Where:
FindingSeverityWeight maps CVSS severity tiers to weighted values:
| CVSS Range | PentestCheck Severity | Weight |
|---|---|---|
| 9.0–10.0 | CRITICAL | 10.0 |
| 7.0–8.9 | HIGH | 6.5 |
| 4.0–6.9 | MEDIUM | 3.0 |
| 0.1–3.9 | LOW | 1.0 |
| 0.0 | INFO | 0.1 |
ExposureFactor adjusts for how reachable the vulnerable asset is:
| Asset Type | Exposure Multiplier |
|---|---|
| Internet-facing, no auth required | 1.0 |
| Internet-facing, authenticated | 0.75 |
| Internal service, authenticated | 0.4 |
| Development/staging environment | 0.6 |
NormalizationConstant scales the result to a 0–10 output based on the number of assets in scope and their total potential maximum score.
Score Interpretation
| Score | Posture | What It Means |
|---|---|---|
| 0.0–1.9 | Strong | No critical or high findings. Limited medium exposure. |
| 2.0–3.9 | Good | High findings present but limited in scope. Remediation in progress. |
| 4.0–5.9 | Fair | Multiple high findings or one unmitigated critical. Needs attention. |
| 6.0–7.9 | At Risk | Active critical exposure or multiple unmitigated highs. Urgent. |
| 8.0–9.4 | Critical | Multiple critical findings. Immediate response required. |
| 9.5–10.0 | Severe | Active exploitation likely. Emergency response protocol. |
A score of 9.4 (PentestCheck's own demo target) indicates a surface with multiple critical findings — typical of an organization that has deployed cloud infrastructure rapidly without systematic security review.
Score Components — Drill-Down
Every score has three sub-components visible in the dashboard:
Vulnerability Score (0–10) The weighted aggregate of all active findings. Dominates the Threat Score. Drives down as findings are remediated.
Exposure Score (0–10) The breadth and accessibility of your external attack surface. More internet-facing assets = higher base exposure. Decreases as you reduce unnecessary exposure (closing ports, requiring auth on admin panels).
Hygiene Score (0–10, inverted) Measures absence of good practices: missing security headers, expired certificates, outdated dependencies, no HTTPS enforcement. This is your "low-hanging fruit" score — easy wins that immediately improve posture.
The overall Threat Score is a weighted combination:
ThreatScore = (Vulnerability × 0.60) + (Exposure × 0.25) + (Hygiene × 0.15)
Score Dynamics Over Time
The Threat Score is a snapshot, not a permanent label. It changes as:
- New findings are discovered → Score increases
- Findings are marked remediated (verified by rescan) → Score decreases
- New assets are added → Exposure component increases
- Assets are decommissioned → Exposure component decreases
- Security headers are added → Hygiene component improves
The score history graph in your dashboard shows the trajectory. A score that trends down over 90 days demonstrates program effectiveness to security leadership and auditors.
Using the Score in Practice
Setting a Target Score
Most organizations target a score ≤ 3.0 for their production surface. This typically means:
- Zero unmitigated critical or high findings
- All internet-facing services require authentication (except intentional public endpoints)
- Security headers implemented and verified
- No outdated dependencies with known exploitable CVEs
SLA Framework Based on Score
Map your remediation SLA to finding severity and current score:
| Severity | SLA at Score < 4.0 | SLA at Score ≥ 4.0 |
|---|---|---|
| CRITICAL | 24 hours | 4 hours |
| HIGH | 7 days | 48 hours |
| MEDIUM | 30 days | 14 days |
| LOW | 90 days | 60 days |
When your score is elevated, you are in a degraded security posture — SLAs should shorten accordingly.
Reporting to Leadership
The Threat Score translates directly to board-level communication:
"Our external Threat Score this quarter moved from 6.2 to 3.4. We remediated 3 critical findings, closed 2 unauthenticated admin panels, and implemented HTTPS enforcement across all assets. Target for Q3 is ≤ 2.5."
This is more useful than "we resolved 47 security tickets" because it conveys risk posture in context, not activity volume.
What the Score Does Not Measure
The Threat Score covers your external attack surface — what attackers can see and probe from the internet. It does not measure:
- Internal network security
- Endpoint protection
- Social engineering susceptibility
- Physical security
- Human error and insider threats
- Supply chain software integrity (beyond known CVEs)
It is one component of a complete security program, not a comprehensive organizational risk score.
Your Threat Score updates after every scan. Start a free scan today and see your baseline in under 5 minutes.