Asset Risk Score
A single number reflecting the overall security risk of a device, weighing criticality, CVSS severity, KEV status, EPSS probability, network exposure, and asset classification to prioritize remediation.
What is Asset Risk Score?
A single number reflecting the overall security risk of a device, weighing criticality, CVSS severity, KEV status, EPSS probability, network exposure, and asset classification to prioritize remediation.
An asset risk score consolidates multiple risk signals into a single prioritized number, giving security teams a fast way to determine which devices deserve immediate attention. Without risk scoring, security teams face a flat list of thousands of vulnerabilities with no guidance on where to start. Even a moderately sized organization may have hundreds of thousands of open CVEs across its asset fleet — far more than any team can address.
Effective risk scoring must go beyond raw CVSS severity. A critical-severity CVE on an air-gapped device with no network exposure is far less urgent than a medium-severity KEV on an internet-facing asset. Good risk scoring incorporates: the vulnerability's CVSS base score, whether it appears in CISA's Known Exploited Vulnerabilities catalog, the EPSS probability of exploitation in the next 30 days, the device's network exposure and segmentation status, the asset's criticality and function (e.g., life-support vs. administrative workstation), and whether the vulnerability has a known patch.
In IoT and OT environments, patching is often not possible — devices run end-of-life firmware, vendor patches require lengthy validation cycles, or the device simply cannot be taken offline. Risk scoring in these environments must also recommend compensating controls: segmentation, access restrictions, enhanced monitoring.
Key Facts
- CISA's KEV catalog contains fewer than 2% of all published CVEs but accounts for a disproportionate share of actual exploits
- EPSS-weighted prioritization reduces remediation workload by up to 87% compared to CVSS-only approaches
- Over 70% of IoT and OT devices cannot be patched on a standard IT patching cycle
- Asset criticality — not just vulnerability severity — is the most reliable predictor of breach impact
How ORDR Addresses Asset Risk Score
ORDR computes a composite risk score for every asset by combining CVE severity, CISA KEV status, EPSS exploitation probability, network exposure, asset criticality, and device classification. Scores are dynamically updated as the threat landscape changes — a CVE added to the KEV catalog automatically elevates the risk score of all affected assets, triggering alerts and recommended actions.
See ORDR in actionFrequently Asked Questions
See Asset Risk Score in practice.
ORDR gives security teams complete visibility into every connected asset—and the intelligence to act on what matters most.