Lateral Movement Risk Calculator

Assessment inputs

Use 0–10 scales for posture and exposure. Higher exposure is worse; higher control coverage is better. Weights are normalized automatically.

Scenario name

Name the environment or simulation run.

Credential exposure (0–10)

Secrets in scripts, shares, logs, endpoints, tickets.

Shared/local admin reuse (0–10)

Higher means broader reuse across endpoints.

Lateral protocol exposure (0–10)

SMB/RDP/WinRM/SSH reachability and allowlists.

Remote access exposure (0–10)

VPN, VDI, gateways, and internet-facing paths.

Endpoints/servers in scope

Used to approximate attack surface scale.

Segmentation strength (0–10)

Tiering, isolation, and enforced allowed flows.

Admin MFA coverage (0–10)

Privileged actions, consoles, and remote management.

Privilege management maturity (0–10)

Just-in-time, approvals, separation, session controls.

Patch hygiene (0–10)

Higher means faster SLAs and better coverage.

Service account governance (0–10)

Inventory, rotation, least privilege, monitoring.

Baseline hardening (0–10)

Secure configs, reduced legacy protocols, logging.

EDR coverage (0–10)

Servers, endpoints, admin workstations, tamper protection.

Monitoring quality (0–10)

Central logs, identity telemetry, tuned detections.

MTTR (hours)

Time to contain activity after detection.

Asset criticality (1–5)

Higher means crown-jewel exposure is more costly.

Directory complexity (1–5)

Trusts, domains, legacy OUs, and admin tiers.

Assumed attacker capability

Applies a small multiplier to risk score.

Recent compromised credentials indicated

Adds an adjustment for active identity risk.

Sensitive segments are reachable from users

Increases spread potential into high-value zones.

Privileged account count

Large counts increase misconfiguration and credential paths.

Password/secret rotation (days)

Long rotation windows can increase reuse risk.

Advanced weighting (optional)

Enter any non‑negative numbers. The calculator normalizes them into a 100% split.

Exposure weight

Controls weight

Detection/response weight

Impact weight

Clear

Example data table

These sample rows illustrate how different control coverage and exposure levels influence overall risk.

Scenario	Exposure avg	Controls avg	Detect avg	Impact	Indicative score	Indicative level
Segmented admin tiers	3.0	8.0	7.5	3	~22	Low
Mixed posture, moderate sprawl	5.5	5.5	5.0	3	~48	Moderate
Weak segmentation, reused admins	7.0	3.5	4.0	4	~67	High
Credential compromise + reachability	7.5	3.0	3.5	5	~84	Critical

Indicative scores are illustrative and depend on exact inputs and weights.

Formula used

This tool produces a 0–100 score by combining four pillars. Each pillar is computed as a weighted average of factors mapped to a 0–100 scale.

Exposure = Σ(wᵢ × factorᵢ)

Control deficit = Σ(wᵢ × (10 − controlᵢ))

Detect/response deficit = Σ(wᵢ × deficitᵢ)

Impact = Σ(wᵢ × impactᵢ)

Base risk = Wₑ×Exposure + Wc×ControlDef + Wd×DetectDef + Wi×Impact

Final risk = clamp((Base risk + Adjustments) × CapabilityModifier, 0, 100)

Exposure factors represent how easily an intruder can move (credentials, remote paths, protocol reachability, and scale).
Control deficit increases when segmentation, MFA, privilege controls, patching, governance, and hardening are weak.
Detect/response deficit increases when telemetry is missing or containment is slow (MTTR).
Adjustments add risk for signals like recent credential compromise or sensitive reachability.

How to use this calculator

Start with a specific scope (e.g., corporate endpoints + servers).
Rate exposure (0–10) based on reachable protocols and credential hygiene.
Rate control coverage (0–10) based on enforcement, not policy alone.
Enter MTTR as the typical containment time, in hours.
Set asset criticality and directory complexity to reflect blast radius.
Optionally adjust pillar weights to match your risk model.
Calculate, review drivers, then prioritize the recommended actions.

Tip: Run multiple scenarios (current state vs. planned improvements) to quantify how specific controls reduce lateral movement risk.

Disclaimer: This calculator supports planning and prioritization. Use it alongside threat modeling, detection validation, and professional review.

Why lateral movement scoring matters

After an initial foothold, intruders seek faster privilege and broader reach. This calculator turns that “spread potential” into a repeatable 0–100 score so teams can compare business units, networks, or projects using the same yardstick, using consistent inputs. Scores under 25 indicate limited movement paths with strong containment. Scores above 75 suggest rapid propagation risk where a single compromised account can pivot into critical systems.

Interpreting exposure inputs

Exposure fields rate how easy it is to hop between hosts. A credential exposure of 8–10 fits environments with secrets in scripts, shared drives, or unmanaged endpoints. Shared/local admin reuse increases when the same password, token, or group membership appears on many machines. Protocol exposure rises when SMB, RDP, WinRM, or SSH are reachable beyond management zones. The endpoints-in-scope value is bucketed to approximate attack surface; larger fleets typically mean more misconfigurations and more credential residue.

Control coverage and deficit logic

Controls are entered as strength, but the model converts them into deficit: (10 − control) to reflect residual weakness. Segmentation, admin MFA, privilege management, patch hygiene, service-account governance, and hardening each reduce the probability that a pivot succeeds. If your segmentation is 3/10, the deficit is 7/10, which heavily elevates risk. Mature privilege controls also shrink the impact of reused credentials by limiting session scope and duration.

Detection and response indicators

Detection inputs measure how quickly you can spot and contain lateral techniques. Higher EDR coverage and monitoring quality reduce deficit, while MTTR increases it. MTTR below 12 hours limits spread; 24–72 hours enables multi-hop movement; beyond 72 hours can permit persistence and privilege escalation attempts.

Using scenarios to prioritize investment

Run at least three scenarios: current state, “quick wins,” and target state. Quick wins may include admin MFA expansion, unique local admin passwords, and restricting remote management to jump hosts. The calculator also applies small adjustments for recent credential compromise, reachable sensitive segments, high privileged-account counts, and long secret rotation cycles. Compare the top drivers list across scenarios; if “Segmentation gap” remains a driver, invest in tiered zoning. If “Slow response window” dominates, automate isolation and streamline escalation paths.

FAQs

What does the 0–100 risk score represent?

It summarizes how likely an attacker can pivot and expand privileges after a foothold, combining exposure, control gaps, detection weakness, and impact. Higher scores indicate faster spread potential and harder containment.

How do I choose 0–10 input values accurately?

Use measurable evidence: scan results, admin group counts, protocol reachability maps, MFA coverage reports, and patch SLAs. Prefer enforcement data over policy text, and reassess values after major architecture changes.

Why are control inputs converted into a deficit?

Strong controls reduce lateral success probability, so the model treats missing coverage as residual weakness. Enter higher numbers for better coverage, and the calculator automatically converts them to “gap” values for scoring.

How do pillar weights change the outcome?

Weights decide how much each pillar drives the final score. Enter any non‑negative values; the tool normalizes them into a 100% split, letting you emphasize exposure-heavy threats or response-heavy constraints.

Can I use this for cloud or hybrid environments?

Yes. Map endpoints to workloads, rate protocol exposure as management-plane reachability, and treat service accounts, tokens, and federated identities as credential exposure. Keep MTTR aligned with your incident response process.

What actions help most when the score is Critical?

Start with identity and segmentation: enforce MFA for privileged actions, remove standing admin rights, deploy unique local admin passwords, and restrict remote management to jump hosts. Expand EDR coverage, centralize logs, and automate containment to cut MTTR quickly.