Introduction

Astra's OrbitX Pentest Platform (PTaaS) uses a structured methodology to determine the Risk Rating of individual vulnerabilities and an overall Security Grade for your assets. Understanding this system allows your team to prioritize remediation based on technical severity, business impact, and real-world market data.

Who Should Read This

• Security Leads and Developers: To understand how vulnerability risk scores are calculated and how to prioritize remediation efforts.

• Compliance Officers: To understand how the security grade reflects your organization's overall security posture across assets.

Risk Score Calculation Factors

The risk score for each vulnerability is a weighted average derived from five key factors:

1. Severity Assigned by Security Analysts For manual penetration tests, Astra's experts evaluate the vulnerability within the specific context of your target environment. This parameter is factored in only during a manual pentest conducted by Astra's pentesters.

2. CVSS Score Astra uses the Common Vulnerability Scoring System (v3.1) to assess standardized metrics such as exploitability, impact, and complexity. Astra plans to move to CVSS v4 in the near future.

3. Number of Instances A higher frequency of the same vulnerability across an application increases its risk score, as it signifies a broader attack surface.

4. Potential Financial Loss This factor estimates the monetary impact of a successful exploit, considering variables such as data exposure, service disruption, and compliance violations.

5. Average Responsible Disclosure Bounty Astra incorporates market value data by referencing average payouts for similar vulnerabilities on platforms like HackerOne and Bugcrowd.

Methodology

To ensure consistency, each factor is normalized to a common scale of 0–10. Weights are then applied based on each factor's relative importance in influencing potential impact and exploitability. The resulting averaged score determines both the priority level for remediation of that specific vulnerability and the security grade assigned to it.

Security Grading Breakdown

A security grade is assigned to each individual vulnerability to help prioritize remediation order. The individual risk scores of all vulnerabilities are then rolled up to generate an Overall Security Grade for the target, visible on the dashboard and in scan reports. Grades range from A+ to F based on the following criteria:

• A+ Grade: Excellent results where all vulnerabilities have been fixed and no significant issues remain.

• A Grade: Good results where the majority of vulnerabilities, particularly those with notable impact, have been resolved.

• B Grade: Decent performance where many vulnerabilities are fixed, but some exceptions or unsolved issues remain.

• C through F Grades: Indicate a higher volume of unsolved vulnerabilities, particularly high-severity issues, that require immediate attention to improve the overall security posture.

Improving Your Grade

The platform provides a Security Grade Widget that teams can use to track remediation progress. To improve your grade efficiently, prioritize fixing high-severity vulnerabilities discovered during continuous scans or manual pentests, as these contribute most significantly to grade degradation.

Related Tasks

• If you have further questions about vulnerability management or risk scoring, contact us at help@getastra.com