> Software > Protect > Identity > Active Directory > Vulnerability assessments for Active Directory > Getting started

Understanding assessment scoring

The Active Directory posture score is designed to reflect risk impact, not simply the percentage of indicators that pass or fail. This means scoring is not linear.

If 10 indicators are evaluated and 2 fail, the score is not automatically 80%. Those two failures could represent high-impact or critical misconfigurations that significantly degrade overall security posture.

Our scoring model is built to highlight severity and exploitability, not raw count.

Weighted risk model

Each indicator is assigned an internal risk weight on a 1-10 scale, based on:

  • Severity (Medium, High, Critical)

  • Exploitability

  • Potential blast radius (domain-level vs forest-level impact)

  • Likelihood of privilege escalation or lateral movement

Higher-risk findings carry higher weights. For example:

  • Critical identity compromise paths (DCSync exposure) receive near-maximum weight.

  • Medium hardening gaps receive lower weight.

The assessment starts with a base score of 100. Failed indicators subtract from that base score according to their assigned weight.

Diminishing penalty curve

To avoid extreme scoring distortion, we apply a diminishing penalty curve.

  • The top three highest-weighted failed indicators subtract their full weight.

  • The 4th and 5th highest-weighted indicators subtract 50% of their weight.

  • Additional findings beyond the fifth do not further reduce the score.

This prevents the score from collapsing into single digits simply because many related issues are present. The goal is to:

  • Strongly penalize high-impact risks

  • Avoid over-penalizing environments with clustered but lower-risk findings

  • Maintain score distribution in a realistic range

In practice, this means:

  • A few critical issues can significantly drag down the score.

  • Additional medium issues will not proportionally collapse it.

  • The score "saturates" after the highest-impact risks are accounted for.

Security posture is not about how many findings exist—it's about how dangerous they are.

For example:

  • One DCSync exposure may be more dangerous than five medium hardening gaps.

  • Unconstrained delegation on privileged systems may outweigh multiple minor protocol settings.

The scoring model ensures that high-impact identity compromise paths drive urgency, even if the overall number of failed indicators is small.

×

Loading...