See how exposed your services are to attackers. Adjust security controls and exposure time safely. Get a clear score and fix priorities today now.
| Asset | Open Ports | Internet Ports | Avg CVSS | Patch Age | Score | Risk |
|---|---|---|---|---|---|---|
| Public web server | 12 | 2 | 5.2 | 20 | 34.6 | Medium |
| VPN gateway | 8 | 1 | 3.1 | 15 | 21.4 | Low |
| RDP exposed host | 16 | 4 | 7.6 | 60 | 78.9 | Critical |
| Database in DMZ | 20 | 3 | 6.4 | 45 | 59.1 | High |
| Internal app server | 10 | 0 | 4.0 | 30 | 18.2 | Low |
The calculator builds an Exposure Score by adding weighted risk drivers, then subtracting control discounts. The result is clamped to a 0–100 range.
The exposure score summarizes how reachable and exploitable your network services are. It ranges from 0 to 100 and maps to four bands: Low (0–24), Medium (25–49), High (50–74), and Critical (75–100). The model combines technical exposure (open ports and internet reachability) with weakness indicators (average severity and patch age) to produce a consistent priority signal.
Internet-facing ports are the strongest driver because attackers can probe them continuously. A small number of exposed management services can dominate the score, especially when they appear on common high-risk ports such as 22, 3389, 445, or 1433. Average severity uses a 0–10 scale, so moving from 4.0 to 7.0 meaningfully increases risk. Patch age is scaled against a 90‑day window, emphasizing stale baselines.
Zone selection adds context: Internal assumes limited reach, DMZ reflects segmented but reachable services, and External models broad exposure. Asset criticality and data sensitivity use 1–5 ratings to translate technical findings into business impact. A customer-facing gateway rated 5 for asset criticality and 4 for data sensitivity should be treated differently than a low-value test host, even with similar port counts.
Controls subtract discounts from the total because they reduce abuse likelihood or blast radius. Authentication and encrypted transport lower credential theft and session interception risk. Firewall strictness scales from 0 to 5, rewarding deny-by-default designs. Monitoring, rate limiting, and allowlists help detect and slow automated scans, brute force, and exploitation attempts. Controls do not eliminate exposure; they improve resilience while remediation proceeds.
Use the breakdown table to identify the largest point contributors and assign owners. When the score is High or Critical, focus first on eliminating internet exposure, patching severe findings, and shortening “open window” duration. Export CSV for ticketing and trend reviews, and export PDF for leadership updates. Recalculate after each change to confirm risk reduction and keep a defensible audit trail. For mature programs, track median patch age, percent of internet ports, and control coverage monthly. A 10-point drop usually reflects meaningful surface reduction, not noise, when inputs consistent across assets.
Use lists when you have scan results, because the tool can count ports and infer critical exposure. Use counts for quick estimates. If both are entered, the port lists take precedence for accuracy.
You can provide a critical ports list directly. If not, and an internet-facing list is present, the calculator flags common high-risk ports like 22, 3389, 445, 1433, 3306, and 8080 to estimate a critical count.
Enter the average CVSS of current findings affecting exposed services. If you have multiple scanners, normalize to the same version and scope. When uncertain, start with 5.0 and adjust as evidence improves.
Older patch baselines correlate with unaddressed known weaknesses and longer attacker opportunity. The model scales patch age toward a 90‑day horizon to highlight overdue updates and encourage shorter remediation cycles.
No. They reduce likelihood and impact, so the score discounts them. Exposure still exists when a service is reachable, so combine controls with port reduction, segmentation, and patching for durable risk reduction.
Recalculate after any rule change, patch window, or control update. For active environments, weekly reviews are common. Track trends over time; consistent downward movement is a useful indicator of shrinking attack surface.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.