Custom Risk Score Overview

What is Custom Risk Score?

Custom Risk Score is an advanced feature that allows you to define your own vulnerability risk scoring model in Nucleus. By default, Nucleus calculates a unified risk score (0–1000 scale) for each vulnerability instance by combining scanner-provided severity, exploit intelligence, and asset context. This built-in scoring is powerful, but some organizations have unique criteria for risk that go beyond the standard model. Custom Risk Score lets you take full control: you configure how risk is calculated, so the platform’s prioritization aligns exactly with your organization’s priorities and definitions of risk.

Why Use a Custom Risk Score?

Many vulnerability managers and security leaders want to tailor risk calculations to their business context. With Custom Risk Score, Nucleus effectively becomes your risk engine instead of a black box. You can incorporate factors that matter most to you and exclude those that don’t. For example, if your team has its own formula or risk rating system developed in spreadsheets or GRC tools, you can now implement that logic directly in Nucleus. This ensures that the “high-risk” items Nucleus highlights truly reflect your criteria for high risk, enhancing credibility and focus. In short, Custom Risk Score solves the problem of one-size-fits-all scoring by letting you define risk your way.

Who Can Use Custom Risk Score?

Advantage Feature
This feature is available to customers on the Advantage subscription package (it will be hidden for Standard tier users)

Additionally, because of its powerful impact on how data is prioritized, only users with Administrator rights can create or modify a custom score model.

Finally, Custom Risk Score is part of the new Nucleus UI and is initially launched as an open beta for Advantage customers as of late 2025. (If you don’t see this feature and you’re an Advantage customer, contact your Nucleus team to have it enabled.)

Key Capabilities:

Custom Risk Score is comprehensive. In summary, this module allows you to:

Build custom scoring logic with rules. Define exactly how vulnerability risk scores are calculated using a rules-based approach (no coding needed). You decide which inputs (fields) contribute to the score and how
Set your own score range and levels. Configure the scoring scale and risk categories that make sense for your organization. For example, you might keep the Nucleus 0–1000 scale with Low/Medium/High/Critical levels, or define a different range and custom level names. These risk level thresholds are used for color-coding and reports, and you have control over them
Establish base scores by severity (or other criteria). Choose an initial base score for findings, typically mapped from vulnerability severity. For instance, you could start Critical-severity vulns at 800 points, High at 600, Medium at 300, etc., or use CVSS scores directly. This baseline reflects how severe the vulnerability is before considering context.
Add dynamic adjusters. Create adjustments (positive or negative) that modify a finding’s score based on asset attributes, threat intel, or any field in Nucleus. For example, you might add +200 points if an asset is internet-facing or if an exploit is known (KEV=true), subtract points if the asset is in a segmented network, or set a minimum score for certain asset classes. These adjusters let you encode business context – they’re essentially if/then rules that fine-tune the risk score calculation.
Define score aggregation logic. Control how risk rolls up from individual findings to higher levels like assets or projects. By default, Nucleus considers a combination of vulnerability score and asset score to prioritize. With Custom Risk Score, you can configure how an asset’s overall risk is derived from all its vulns, and likewise how project or environment risk is determined. (For example, you might choose whether an asset’s risk is equal to its highest vulnerability score, a cumulative sum, or another formula – more aggregation options will be available over time.
Use the score throughout Nucleus. Once defined, your custom score is used throughout the platform: in dashboards, reports, the Top Risks and Vulnerabilities pages, automation rules, SLA policies, and more. In essence, everywhere you would see or use the Nucleus Risk Score, you’ll now see your custom score instead (so long as the custom model is active for the project).
Real-time updates and transparency. The scoring engine recalculates risk across all findings as soon as you save any changes. You can update your model and instantly see the new risk outcomes on millions of vulnerabilities in real time. Every score is fully transparent – you can trace exactly why a given vulnerability got its score, based on the conditions and rules you set, making it easy to explain your risk logic to stakeholders. No more mystery “black box” scores; every point is backed by your defined logic.

More information on how to configure the risk score: Custom Risk Score - Configure

When to Use It:

For mature VM programs with established risk methodologies, Custom Risk Score is a game-changer. It’s ideal if you’ve outgrown generic CVSS-based prioritization or if you need to align vulnerability management with a broader enterprise risk model. That said, even newer programs can use it to gradually incorporate business context. We recommend enabling Custom Risk Score when you have a clear idea of what “critical risk” means for your organization (or you’re ready to develop that criteria). The next sections will show you how to configure your custom model and get the most out of it.