Risk scoring is how SecurAtlas quantifies your organization’s security posture at any point in time. This page explains how the 0–100 score is calculated, which factors influence it, what the AI-generated gap narrative tells you, and how to read the financial exposure estimates.
The 0–100 score scale
SecurAtlas rates your posture on a scale from 0 to 100. Higher scores indicate stronger security posture and lower overall risk. Lower scores signal that critical gaps remain unaddressed.
| Score range | Risk level | What it means |
|---|
| 0–20 | Critical | Severe gaps across core controls; immediate action required |
| 21–40 | High | Significant control weaknesses; remediation should be prioritized |
| 41–60 | Medium | Partial implementation; notable exposure remains |
| 61–80 | Moderate | Most controls in place; residual gaps are manageable |
| 81–100 | Low | Strong posture; controls are implemented and evidenced |
Aim for a score of 61 or higher as your baseline posture goal. A Moderate rating means your most critical controls are implemented and your residual risk is at an acceptable level for most organizations.
What affects your score
Four factors feed into your risk score calculation:
Control implementation status — Whether each control is not_started, in_progress, implemented, or not_applicable. Implemented controls contribute positively; unstarted controls reduce your score.
Control maturity — Each control has a maturity rating from 1 to 5. A higher maturity rating means your implementation is more consistent, documented, and tested. Maturity directly amplifies or dampens a control’s contribution to your score.
Evidence quality — Each piece of evidence attached to a control has a confidence score indicating how strongly it proves the control is implemented. Strong, current evidence raises your score; weak or missing evidence limits how much credit a control can contribute.
Evidence confidence level — SecurAtlas assigns an overall confidence level to each control based on its evidence:
| Confidence level | Threshold |
|---|
| High | Confidence score ≥ 0.85 |
| Medium | Confidence score ≥ 0.60 |
| Low | Below 0.60 |
How the score updates
Your risk score recalculates automatically when you:
- Change a control’s implementation status
- Upload, validate, or remove evidence
- Run the risk pipeline manually from the dashboard
No manual refresh is required. Score history is preserved in a table so you can track your posture over time and demonstrate progress to auditors.
Risk categories
SecurAtlas breaks your overall risk into specific threat categories — including data breach, ransomware, insider threat, and compliance failures, among others. Each category carries a residual risk contribution score that shows how much that threat type is influencing your overall exposure. Use these category scores to prioritize remediation work based on the threats most relevant to your industry and operating environment.
AI gap narrative
Alongside your score, SecurAtlas generates a plain-language explanation of why your score is at its current level. This AI-generated gap narrative identifies your highest-impact gaps — the controls and evidence gaps most responsible for lowering your score — and explains what you can do to address them. The narrative updates each time your score recalculates.
Financial exposure (ALE)
The Annualized Loss Expectancy (ALE) translates your risk score into estimated financial impact. SecurAtlas provides three estimates:
- Low — best-case annual loss estimate
- Expected — most probable annual loss
- High — worst-case annual loss
These estimates are derived from your organization’s profile: annual revenue range, employee count, endpoint count, and industry. ALE gives security leaders a way to communicate risk in financial terms when engaging executive stakeholders or board members.
For a full walkthrough of the financial exposure view, see the Financial Exposure guide.