Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Custom Risk Score - Configure

  • 9 minute(s) read
Prev Next

Before starting

This guide is for Nucleus administrators who want to set up a Custom Risk Score model. Before beginning, ensure you have Administrator access in Nucleus and are working in the new UI (where the feature is available).

Accessing the Custom Risk Score Settings:

To create your custom scoring model, navigate to Project Administration > Risk Settings for the relevant project (you must be an Org Admin to access this). In the Risk Settings area, you will find a “Custom Risk Score” section or tab. (If you have an Advantage-tier license but do not see this option, it may need to be enabled for your organization – contact support in that case.).

Note: Custom Risk Score can be configured per project. You can define different scoring schemes for different projects/environments if needed, or set up one model and use it across all projects (by configuring each).

Step 1 – Enable and Name Your Score:

In the Custom Risk Score settings, start by enabling the feature (if it’s not already active) for the project. You’ll be prompted to give your risk model a Name. Choose a name that is meaningful to your team – for example, “Acme Corp Risk Score v1” or “Custom Risk Model 2025.” This name may be displayed in some reports or tooltips, and it helps distinguish your score from the default Nucleus score. Naming the score is especially useful for future reference, as more custom models or versions might be introduced.

Step 2 – Define Score Range and Levels:

Next, configure the scoring range and levels (risk categories) for your model. By default, Nucleus uses a 0 to 1000 score and four risk levels: Low, Medium, High, Critical. With Custom Risk Score, you can adjust this to whatever you want:

  • Score Range: Set the minimum and maximum possible score. Common choices are 0–1000 or 0–100 for a simpler percentage-style scale. You might choose a smaller range if you want simpler numbers, but using 0–1000 offers more granularity.

    • Note: Risk scores can be calculated in decimal if you want to create a CVSS-style 1-10 scoring scale

  • Risk Levels: Define the number of risk categories and their thresholds. You could stick to the classic four (Low/Med/High/Critical) or create a custom set (e.g. “P0, P1, P2, P3”). For each level, specify the numeric range it covers. For example, you might decide: 0–299 = Low, 300–599 = Moderate, 600–799 = High, 800–1000 = Critical (or whatever breakdown fits your risk appetite). These levels will be used in the UI downstream, such as in Automation Rules.

Note

These risk levels are often used to align to an internal VM strategy on prioritization, and can be leveraged in the Nucleus Console to take automated actions

Step 3 – Set Base Scores by Severity:

Now define the base score calculation – essentially, how a vulnerability’s initial risk score is determined before applying any context adjustments. In most cases, you will map vulnerability Severity to a base value. For example: you could assign Critical vulnerabilities a base of 700 points, High = 500, Medium = 300, Low = 100 (on a 0–1000 scale). This mapping is your starting point and reflects the inherent seriousness of a vuln based on scanner data or CVSS. If your organization relies on CVSS numeric values, you might alternatively use the CVSS score directly or scaled (for instance, treat CVSS 10.0 as 1000, CVSS 5.0 as 500, etc.). The interface will let you choose a field as the base input – most choose the overall severity or CVSS score field – and then assign how that translates into your custom risk score.

  • If using Severity (categorical): assign a base score for each severity level. You’ll likely see a list of severities (Critical/High/Medium/Low/Info) and a box to input the base score for each. Fill these in according to how much relative weight you want severity to carry. (Tip: Think of these as the score a finding would get if none of the special context factors applied.)

  • If using a numeric field (e.g. CVSS): you may specify a direct formula or mapping. For instance, multiply the CVSS v3 base score by 100 to project it onto 0–1000 scale. Or if using 0–10 custom range, CVSS might directly map 1:1. Ensure the mapping is clear and yields values in your allowed range.

At this stage, you’ve essentially defined a “baseline risk” for each vulnerability based on its own attributes (intrinsic severity). Next, we’ll factor in the context via adjusters and overrides.

Step 4 – Configure Adjusters (Contextual Rules):

Adjusters are rules that modify the base score up or down to account for your asset context, threat intelligence, and any other factors. This is where the power of Custom Risk Score really shines – you can use any field in Nucleus (asset fields, finding fields, tags, threat flags, etc.) as criteria in these rules.

When adding an adjuster, you will typically: choose a field or condition, set a threshold or value for that condition, and then specify how much to add or subtract from the base score if the condition is met. You can create multiple adjuster rules; they will be applied in order to each finding’s base score.

Examples of adjusters:

  • Asset Criticality: If Asset Criticality = “High”, add 100 (makes vulns on high-value assets score higher). Conversely, if Asset Criticality = “Low”, you might subtract 50.

  • Public Exposure: If Asset is External (Internet-Facing), add 150 (internet-facing assets get a risk boost due to exposure).

  • Threat Intel – Exploited: If “Known Exploited Vulnerability (KEV) = true”, add 200. This means any vuln with confirmed exploits in the wild gets a significant bump.

  • Threat Intel – Likelihood: If EPSS ≥ 0.5, add 50 (adjust based on Exploit Prediction Scoring System probability; higher EPSS increases risk slightly).

  • Age of Vulnerability: If days_open > 180 days, add 50 (older unpatched findings get a small increase, representing lingering risk).

  • Compensating Control: If Vulnerability Status = “Accepted Risk”, subtract 100 (or even set to 0 if you want to effectively drop these from priority).

  • Asset Environment: If Asset Tag contains “Dev”, subtract 50 (non-production/dev environment findings might be lower priority).

These are just examples – you can tailor adjusters to virtually any data point that matters to you. In the future, adjusters will be scoped by severity or risk level if needed (for instance, you might apply certain adjusters only to High-severity vulns, or apply a larger bump for lower-severity items to ensure they get attention in certain cases). The Custom Risk Score builder UI provides an intuitive form to add each rule. For each adjuster rule, fill in the condition (field and criteria) and the “+/-” value. You can add as many adjusters as needed, but we recommend starting with a focused set of the most important factors (see Best Practices below).

Pro Tip: The order of adjusters can matter if you have many rules – however, in most cases the adjustments are simply cumulative. Be mindful of the total score after all adjustments; if multiple conditions are true for one finding, the adds/subtracts will all apply. The system will cap the score at your defined max and min, so it won’t exceed the range. Use negative adjusters for downgrading risk in context, but avoid subtracting so much that important issues drop off the radar entirely.

Step 5 – Define Asset/Project Risk Aggregation:

After setting how individual finding risk is calculated, you can specify how that translates into asset-level and project-level risk. In other words, given an asset with many findings, what will its overall risk score be? And for a project (environment) containing many assets, what is the overall risk? Nucleus’s default behavior has been to roll up risk by considering the highest finding on the asset, but with customization you may have options. In the Custom Risk Score settings, look for Aggregation Settings or Asset/Project Risk configuration:

  • You might be given a choice of aggregation method (e.g. “Use highest vulnerability score as asset risk” vs. “Calculate asset risk as cumulative” or weighted). Initially, the system may only support one method (often the highest score wins, which is a common approach), with more methods to come. If multiple options are available, select the one that fits your risk philosophy. For example, highest-vuln means an asset with one Critical vuln is considered Critical risk (simple and conservative), whereas a cumulative/average model might reflect assets with numerous Medium vulns as also high risk due to volume.

  • Configure project-level risk similarly. Often, project or enterprise risk can be taken as the “worst asset” or some aggregate of asset scores. Again, if options are present, choose how you want the project’s risk score calculated from its assets. This might be as straightforward as taking the top asset’s score, or a weighted sum/average. The goal is to have a meaningful single number that represents the overall risk of that scope.

If the UI does not yet expose multiple modes (Nucleus is planning to add more aggregation modes soon), you may simply see a statement of how aggregation works by default. Make sure you understand that default (e.g. “Asset risk will equal the highest vulnerability risk on that asset”). Align your expectations accordingly, and know that future updates may allow more flexibility here.

Step 6 – Review and Save:

Before finalizing, review the entire scoring logic you’ve built. The Custom Risk Score builder provides a visual summary of your model – you should be able to see something like a formula or list of rules that shows how the score is computed from base through adjusters (and any overrides). Double-check that the rules make sense and there are no conflicts.

The interface offers a “simulate” function, use it: input sample data (or pick an example vulnerability from your project) to see what score would be produced. This is extremely useful for validating that your logic works as intended. For instance, test a known critical vuln on a critical asset and ensure it indeed comes out in the top range, and test a low-priority vuln to ensure it stays low. If the simulation reveals something off (maybe all your scores are too high, or a certain factor isn’t having the effect you expected), adjust the rules accordingly.

Once satisfied, click Save to apply the custom model. Nucleus will begin calculating the Custom Risk Score for all findings in the project. This recalculation might take a short time (seconds to minutes depending on volume), but in general it’s designed to update very quickly across the platform. After saving, your new risk scores will propagate to the various views and features of Nucleus.

Final Tip: While configuring, document your decisions. It helps to keep notes on why you set certain weights or thresholds – this can be added in an internal wiki. This way, if colleagues ask “why is X scored as Y?”, you have the rationale at hand. Plus, if you revisit the model later, you’ll recall your strategy.

If you have any further questions, please reach out to your success manager or [email protected].