Risk Score Calculation from Vulnerability Calculators

PIYUSH CHANDRA · ‎09-17-2025

Can we calculate risk score by having field value in range in risk calculator criteria and not exact value...likewise x field value is 0.8...so instead of that can we have the field value as 0.7-0.9...as such I am taking in range and it's not working...I mean weightage is not being considered...likewise it does by taking exact value...so if there's any feasibility to take the value in range instead of exact value...please let me know...any lead would be appreciated...Thank you!...

andy_ojha · ‎09-24-2025

Hey there - this looks like you might be wanting to use ranges for EPSS to influence the overall Risk Score with the "Risk Rule" approach.

Baseline, once you have the CISA KEV Store Application installed, that will bring in the EPSS values, which you can then use in your Risk Rule (weighted) Risk Score Calculator, and leverage the ranges to determine the weighting.

https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/secops-integration-vr...

If needed, you can also use the EPSS value changing -> to signal a re-evaluation of Risk Score on Vulnerable Items (optional) later on as well.

https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/secops-integration-vr...

PIYUSH CHANDRA · ‎09-24-2025

Does the thing work while having values on range? Because, I have made a custom field EPSS having string as a data type...but it's not working...i.e. risk calculator is not taking into consideration it's weightage. Could you please tell me where I am lagging? Because, according to me what you told is the source from where EPSS comes up...but does that really work... if value is in range...because apart from CVSS Base Score is the custom field which I am using in that as well as values are in range...Please suggest on this.

PIYUSH CHANDRA · ‎09-24-2025

Does the thing work while having values on range? Because, I have made a custom field EPSS having string as a data type...but it's not working...i.e. risk calculator is not taking into consideration it's weightage. Could you please tell me where I am lagging? Because, according to me what you told is the source from where EPSS comes up...but does that really work... if value is in range...because apart from CVSS Base Score is the custom field which I am using in that as well as values are in range...Please suggest on this.

PIYUSH CHANDRA · ‎09-24-2025

I am using a custom field EPSS having value in range, but it is not working as expected. As such, vulnerability calculator is not taking weightage into account. As such you told me about the source from where the value can come for EPSS, but does it really work? As such I had one more field CVSS Base Score having value in range, but weightage is not considered while calculating risk score. Please suggest on this, so that I can proceed further on the steps which I can take to achieve that.