Prioritizing vulnerabilities and other findings using roll-up calculators

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Prioritizing vulnerabilities and other findings using roll-up calculators

    Roll-up calculators in ServiceNow Vulnerability Response enable you to aggregate individual risk scores from vulnerabilities and findings into cumulative risk scores for remediation tasks, discovered items, applications, containers, and organizational dashboards. This aggregation helps prioritize remediation efforts by providing an overall risk perspective at different levels.

    Show full answer Show less

    Key Features

    • Multiple Roll-up Calculators Included: The base system provides calculators for discovered applications, vulnerability entries, discovered items, remediation tasks, configuration tests, container images, remediation efforts, and organizational risk scores.
    • Configurable Weighting: You can configure each roll-up calculator by assigning weights to computed values such as maximum risk score, average risk score, and count of vulnerable items, influencing how the cumulative score is calculated.
    • Automated Updates: Roll-up calculators run automatically every 15 minutes to refresh risk scores based on changes in findings, remediation targets, statuses, or the addition/removal of findings.
    • Inclusion of Deferred Findings: Optionally include deferred findings in remediation task roll-ups by selecting “All active records,” which affects the total risk calculation.
    • Organizational Risk Score Roll-up: Aggregates risk scores across host, application, container vulnerabilities, and configuration issues for unified executive dashboards, using normalized counts and weighted averages.

    How Roll-up Calculators Work

    Roll-up calculators aggregate risk scores by combining maximum risk score, average risk score, and item counts with specific weights. For example, a remediation task’s risk score is calculated by applying a formula that factors in these weighted values, with a scaling factor based on the number of vulnerable items. This approach provides a balanced prioritization metric that reflects both severity and volume of vulnerabilities.

    Practical Benefits for ServiceNow Customers

    • Quickly prioritize remediation tasks and vulnerabilities by understanding cumulative risk at various levels (task, application, container, organization).
    • Customize risk score calculations to align with your organization’s risk management policies by adjusting weights and inclusion criteria.
    • Ensure timely and automated updates to risk scoring, enabling dynamic and accurate prioritization as vulnerability data changes.
    • Leverage organizational risk scores for high-level reporting and executive decision-making in unified dashboards.

    Next Steps

    After assessing and configuring your risk calculators through the Setup Assistant, use the roll-up calculators to tailor cumulative risk scoring for your remediation workflows. Monitor how changes to weights and inclusion options impact prioritization, and adjust as needed to optimize vulnerability management effectiveness.

    After assessing risk calculators, use the roll-up calculators to configure how the cumulative risk scores are computed for remediation tasks and other higher entities.

    The base system includes the following roll-up calculators:
    • Discovered Application Rollup Calculator: Roll up the risk scores for all application vulnerable items with the same discovered application, to provide an overall risk score for the discovered application.
    • Vulnerability Entry Rollup Calculator: Roll up the risk scores for all vulnerable items with the same vulnerability entry, to provide an overall risk score for the vulnerability entry.
    • Discovered Item Rollup Calculator: Roll up the risk scores for all vulnerable items and test results with the same discovered item, to provide an overall risk score for the discovered items.
    • Remediation Task Rollup Calculator: Roll up the risk scores for all vulnerable items in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Configuration Test Rollup Calculator: Roll up the risk scores for all test results with the same configuration test, to provide an overall risk score for the configuration test.
    • Discovered Image Rollup Calculator: Roll up the risk scores for all container vulnerable items with the same discovered container image, to provide an overall risk score for the discovered container images.
    • Remediation Effort Rollup Calculator: Roll up the risk scores for all the records in a remediation effort, to provide an overall risk score for the entire effort.
    • Container Remediation Task Calculator: Roll up the risk scores for all container vulnerable items in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Application Remediation Task Calculator: Roll up the risk scores for all application vulnerable items in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Test Results Remediation Task Calculator: Roll up the risk scores for all test results in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Organization Risk Score Rollup: Roll up the risk scores for all vulnerable items and configuration issues in an organization, to provide an overall risk score for the entire organization for unified dashboard.
    • Patch Update Rollup: Rolls up the risk scores for all findings with same patch update, to provide an overall risk score for the patch update.
    • Remediation Effort Rollup: Provides an overall risk score for records within a remediation effort.

    Configuring roll-up calculators

    When configuring a roll-up calculator, you specify the weight given to each computed value in determining the cumulative risk score. The higher the weight, the more that value influences the rolled-up risk score.

    Note:
    When All active records is selected, all deferred findings are included in the rollup calculation for the remediation tasks. Understand the impact on the total calculation before selecting this option.

    How roll-up calculators work

    Rollup calculators run a scheduled job every 15 minutes to update risk scores and other details for remediation tasks and findings. The risk score is recalculated when:
    • Findings risk scores, remediation targets, or statuses change.
    • Finding states change (for example, Open, Deferred, Closed).
    • Findings are added or removed from a remediation task.

    Example: Remediation Rollup Calculator

    Vulnerability roll-up calculator example: Consider a remediation task VUL324567, which has the following vulnerable items:
    • VIT1001 with a risk score of 30
    • VIT1002 with a risk score of 40
    • VIT1003 with a risk score of 50
    Also, consider the following weights in the vulnerability roll-up calculator:
    • Maximum risk score: 80
    • Average risk score: 5
    • Count of vulnerable items: 15
    Figure 1. Vulnerability rollup calculator example
    Vulnerability rollup calculator example with a maximum risk score of 80, an average risk score of 5, and a count of vulnerable items of 15.

    In the Vulnerability rollup calculator example, the formula for determining the remediation task Risk Score is:

    (Maximum risk score /100) * 80 + (Average risk score /100) * 5 + (factor * 15)

    The factor is determined as follows:
    VI count Factor
    <10 0.2
    10–100 0.4
    101–1000 0.6
    1001–10000 0.8
    > 10000 1
    So, for the remediation task, VUL324567:
    • The average risk score is 40
    • The maximum risk score is 50
    • 50 (Maximum risk score)
    • The factor is 0.2

    The Risk Score would be 45 [(50/100) * 80 + (40/100) * 5 + 0.2 * 15 = 40 + 2 + 3 = 45]

    Organizational risk score roll-up calculations

    The Organization Risk Score Rollup calculator calculates the overall risk score for an organization in the Unified Vulnerability Response Dashboard and Cybersecurity Executive Dashboard. It rolls up the risk scores for host vulnerable items, application vulnerable items, container vulnerable items, and configuration issues.

    To calculate the maximum risk score, the highest score among VIT, AVIT, test results, and CVIT is chosen. For example, if VITs have the highest score, that score is considered as the maximum risk score.

    Once the counts of VIT, AVIT, CVIT, and test results are obtained, they’re added and normalized using a count method. The resulting risk score is then multiplied by the count weight specified in the configuration.

    The same process is followed for calculating the average risk score. The risk scores for AVIT, configuration issues, test results, and other scores are summed up, and then divided by the total count to obtain the average risk score. Finally, all the risk scores are added to derive the organization risk score.