Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Vulnerability Risk Calculator - Use Source Risk Score instead of Vulnerability Severity?

Kevin Lillis
Tera Expert

‎11-06-2025 06:40 AM

Hi,

We currently use Source Risk Score from Qualys (Qualys Detection Score; QDS) to do a direct map to our Risk Score in ServiceNow.  QDS combines the severity of the vulnerability with other Threat Intelligence to get that Risk Score.  Quite frequently we see a score start as a 50 but once intel has discovered it is actively being exploited, the QDS score changes to something higher (ex. 80).

We want to enhance that existing QDS score to include Asset/Business related factors (ex. Business Criticality and/or External Facing). 

So we are attempting to use the OOTB Risk Calculators in ServiceNow.  We want to be able to keep our existing Risk Score number and take a percentage of that (ex. 60%) and add in a percentage of Business Criticality (ex. 25%) as well as Externally Facing (ex. 15%).

However, every example I have seen on how to use the Risk Calculators uses 'Vulnerability Severity'.  That won't work for two reasons:
1. Vulnerability Severity is not an exact match with the QDS Score.  In the example below, 5 of the 6 rows show 'Severity' different than the associated real ranking of 'Source Risk Score' we use today.

2. I could use 'Source Risk Score' as one of the fields, but it would require me to program the entire range of values (as seen below).  I was hoping there would be an easier way to do that.

  • Default : 50, Empty String : 0, 1 : 1, 2 : 2, 3 : 3, ... , 99 : 99, 100 : 100

Also of note, we want to keep the integrity of the QDS score using our Risk Rating ranges.  What I mean by that is our ranges Risk Ratings are as follows:

  • Low: 0 - 39
  • Medium: 40 - 69
  • High: 70 - 89
  • Critical: 90 - 100

So it is important to us, as we are applying Business Criticality and Externally Facing, to NOT take the 'average' score for that range.  Example: HIGH 70 is different than a HIGH 89.  If the asset it is on is Business Critical and Externally Facing these are the following scores for both as well as the 'average'.

  • 70*.60 + 100*.25 + 100*.15 = 42+25+15 = 82; HIGH
  • 80*.60 + 100*.25 + 100*.15 = 48+25+15 = 88; HIGH
  • 89*.60 + 100*.25 + 100*.15 = 53.4+25+15 = 93.4; CRITICAL

Is there an easy way to do this without hardcoding the 101 Source Risk Scores?

 

If not, perhaps this could be a future enhancement?

Preview file
35 KB
0 Helpfuls
  • 1,650 Views
5 REPLIES 5

Dave Winsor
Giga Expert

‎11-20-2025 11:08 AM

I am doing the exact same thing but with Tenable VPR and map a range of the VPR to an equivalant point value within the Risk Calculator. We also have an asset scoring methodology maintained in our CMDB which is also follows a % score mapping in our Risk Calculators.  Attached is a screenshot of an example.

 

Be careful including too many conditions to a singular calculation as well. The more you use, the greater risk you have to unintentionally deflate your scores. For example, if you use the 'external' flag as 15% of your overall score, all the non-external things have a 15% lower maximum. Instead, consider using the Conditions to set multiple risk calculators for different scenarios leveraging both the condition builder and Order. Some options:

External Assets

Internal Assets w/ Asset Risk Score

Internal with no Asset Risk Score

Internal with no asset score and no VPR

Preview file
44 KB
0 Helpfuls