Each finding is assigned two factors (Impact x Likelihood) to measure its risk. Factors are measured on a scale of 1 (very low) through 5 (very high).
This indicates the finding's effect on technical and business operations. It covers aspects such as the confidentiality, integrity, and availability of data or systems; and financial or reputation loss.
Likelihood of occurrence
This indicates the finding's potential for exploitation. It takes into account aspects such as skill level required of an attacker and relative ease of exploitation.
Findings are grouped into five severity levels based on their risk as calculated by their business impact and likelihood of occurrence,
risk = impact * likelihood. When our pentesters find vulnerabilities, they use the standard OWASP risk model and then classify them into one of the following levels:
|Critical||25||Includes vulnerabilities that require immediate attention.|
|High||16-24||Impacts the security of your application/platform/hardware, including supported systems. Includes high probability vulnerabilities with a high business impact.|
|Medium||5-15||Includes vulnerabilities that are: medium risk, medium impact; low risk, high impact; high risk, low impact.|
|Low||2-4||Specifies common vulnerabilities with minimal impact.|
|Informational||1||Notes vulnerabilities of minimal risk to your business.|