Prioritizing vulnerabilities and other findings using roll-up calculators

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Prioritizing vulnerabilities and other findings using roll-up calculators

    Roll-up calculators in ServiceNow enable you to aggregate and prioritize risk scores for vulnerabilities and related findings across various entities such as applications, remediation tasks, and organizations. After assessing individual risk calculators, these roll-up calculators provide a cumulative risk score to help you understand overall risk levels and prioritize remediation efforts effectively.

    Show full answer Show less

    Key Features

    • Multiple Roll-up Calculators Included: The base system offers calculators for different entities including discovered applications, vulnerability entries, discovered items, remediation tasks, configuration tests, container images, remediation efforts, and organization-wide risk.
    • Customizable Weighting: You can configure each roll-up calculator by assigning weights to components like maximum risk score, average risk score, and count of vulnerable items. This allows tailoring how each factor influences the overall risk.
    • Scheduled Risk Score Updates: Roll-up calculations run every 15 minutes, recalculating risk scores when there are changes to findings, their statuses, or remediation tasks, ensuring up-to-date prioritization.
    • Inclusion of Deferred Findings: Optionally include deferred findings in remediation task calculations by selecting "All active records," but be aware of the overall impact on risk scores.
    • Organizational Risk Scoring: Aggregates risk scores across hosts, applications, containers, and configuration issues for an overall risk score view in unified dashboards, supporting enterprise-wide risk management.

    How It Works

    Each roll-up calculator aggregates the risk scores of individual vulnerable items or findings under a higher-level entity using configured weights and factors. For example, a remediation task’s risk score is computed using the maximum risk score, average risk score, and the count of vulnerable items, each multiplied by a specified weight. A factor based on the count of items adjusts the final score to reflect scale.

    Example: For a remediation task with three vulnerable items scoring 30, 40, and 50, and weights of 80 (max risk), 5 (average risk), and 15 (count), the overall risk score is calculated as follows:

    • Maximum risk score: 50
    • Average risk score: 40
    • Count factor: 0.2 (for fewer than 10 items)
    • Risk Score = (50/100)80 + (40/100)5 + 0.215 = 45

    Benefits for ServiceNow Customers

    • Improved Prioritization: Understand the cumulative risk across various assets and remediation efforts to focus resources on the highest risk areas.
    • Dynamic Risk Management: Risk scores update automatically with system changes, keeping your vulnerability posture current.
    • Customizable Calculations: Tailor risk aggregation based on your organization's priorities using configurable weights and inclusion options.
    • Enterprise-wide Visibility: The organization risk score roll-up consolidates multiple vulnerability types and configuration issues, enabling comprehensive risk assessment via dashboards.

    Next Steps

    After completing initial risk calculator assessments in the Setup Assistant, configure the roll-up calculators to align with your organizational risk priorities. Regularly review and adjust weights and inclusion settings to maintain accurate and actionable cumulative risk scores. Utilize unified dashboards to monitor risk scores at the organizational level and drive remediation efforts efficiently.

    After assessing risk calculators, use the roll-up calculators to configure how the cumulative risk scores are computed for remediation tasks and other higher entities.

    The base system includes the following roll-up calculators:
    • Discovered Application Rollup Calculator: Roll up the risk scores for all application vulnerable items with the same discovered application, to provide an overall risk score for the discovered application.
    • Vulnerability Entry Rollup Calculator: Roll up the risk scores for all vulnerable items with the same vulnerability entry, to provide an overall risk score for the vulnerability entry.
    • Discovered Item Rollup Calculator: Roll up the risk scores for all vulnerable items and test results with the same discovered item, to provide an overall risk score for the discovered items.
    • Remediation Task Rollup Calculator: Roll up the risk scores for all vulnerable items in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Configuration Test Rollup Calculator: Roll up the risk scores for all test results with the same configuration test, to provide an overall risk score for the configuration test.
    • Discovered Image Rollup Calculator: Roll up the risk scores for all container vulnerable items with the same discovered container image, to provide an overall risk score for the discovered container images.
    • Remediation Effort Rollup Calculator: Roll up the risk scores for all the records in a remediation effort, to provide an overall risk score for the entire effort.
    • Container Remediation Task Calculator: Roll up the risk scores for all container vulnerable items in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Application Remediation Task Calculator: Roll up the risk scores for all application vulnerable items in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Test Results Remediation Task Calculator: Roll up the risk scores for all test results in a remediation task, to provide an overall risk score for the entire group of vulnerable items.
    • Organization Risk Score Rollup: Roll up the risk scores for all vulnerable items and configuration issues in an organization, to provide an overall risk score for the entire organization for unified dashboard.
    • Patch Update Rollup: Rolls up the risk scores for all findings with same patch update, to provide an overall risk score for the patch update.
    • Remediation Effort Rollup: Provides an overall risk score for records within a remediation effort.

    Configuring roll-up calculators

    When configuring a roll-up calculator, you specify the weight given to each computed value in determining the cumulative risk score. The higher the weight, the more that value influences the rolled-up risk score.

    Note:
    When All active records is selected, all deferred findings are included in the rollup calculation for the remediation tasks. Understand the impact on the total calculation before selecting this option.

    How roll-up calculators work

    Rollup calculators run a scheduled job every 15 minutes to update risk scores and other details for remediation tasks and findings. The risk score is recalculated when:
    • Findings risk scores, remediation targets, or statuses change.
    • Finding states change (for example, Open, Deferred, Closed).
    • Findings are added or removed from a remediation task.

    Example: Remediation Rollup Calculator

    Vulnerability roll-up calculator example: Consider a remediation task VUL324567, which has the following vulnerable items:
    • VIT1001 with a risk score of 30
    • VIT1002 with a risk score of 40
    • VIT1003 with a risk score of 50
    Also, consider the following weights in the vulnerability roll-up calculator:
    • Maximum risk score: 80
    • Average risk score: 5
    • Count of vulnerable items: 15

    In the Vulnerability rollup calculator example, the formula for determining the remediation task Risk Score is:

    (Maximum risk score /100) * 80 + (Average risk score /100) * 5 + (factor * 15)

    The factor is determined as follows:
    VI count Factor
    <10 0.2
    10–100 0.4
    101–1000 0.6
    1001–10000 0.8
    > 10000 1
    So, for the remediation task, VUL324567:
    • The average risk score is 40
    • The maximum risk score is 50
    • 50 (Maximum risk score)
    • The factor is 0.2

    The Risk Score would be 45 [(50/100) * 80 + (40/100) * 5 + 0.2 * 15 = 40 + 2 + 3 = 45]

    Organizational risk score roll-up calculations

    The Organization Risk Score Rollup calculator calculates the overall risk score for an organization in the Unified Vulnerability Response Dashboard and Cybersecurity Executive Dashboard. It rolls up the risk scores for host vulnerable items, application vulnerable items, container vulnerable items, and configuration issues.

    To calculate the maximum risk score, the highest score among VIT, AVIT, test results, and CVIT is chosen. For example, if VITs have the highest score, that score is considered as the maximum risk score.

    Once the counts of VIT, AVIT, CVIT, and test results are obtained, they’re added and normalized using a count method. The resulting risk score is then multiplied by the count weight specified in the configuration.

    The same process is followed for calculating the average risk score. The risk scores for AVIT, configuration issues, test results, and other scores are summed up, and then divided by the total count to obtain the average risk score. Finally, all the risk scores are added to derive the organization risk score.