Health Score
The health score provides a single metric (0-100) that summarizes each agent's overall security posture. It combines vulnerability exposure, compliance status, update currency, and network exposure into a weighted score that helps you prioritize remediation efforts.
How the Score Is Calculated
The overall health score is a weighted average of four independent category scores:
| Category | Default Weight | What It Measures |
|---|---|---|
| Vulnerabilities | 50% | Known CVEs in installed software and OS |
| Compliance | 25% | Adherence to assigned compliance frameworks |
| Pending Updates | 15% | Outstanding system and application updates |
| Network Exposure | 10% | Open ports, firewall state, and attack surface |
Each category produces its own score from 0 to 100, and the overall score is the weighted combination:
Overall = (Vulnerability x 0.50) + (Compliance x 0.25) + (Updates x 0.15) + (Network x 0.10)
Weights are configurable per-tenant in Settings > Health Scoring.
Score Ranges
| Score | Status | Meaning |
|---|---|---|
| 80-100 | Healthy | System is secure and compliant |
| 60-79 | Needs Attention | Action required but not critical |
| 0-59 | Critical | Immediate attention required |
Category Scoring Details
Vulnerability Score
Starts at 100 and deducts points based on open vulnerabilities:
| Factor | Penalty |
|---|---|
| CISA KEV (Known Exploited Vulnerability) | -15 per vulnerability |
| KEV past its remediation due date | -25 additional per overdue KEV |
| Critical severity (CVSS 9.0-10.0) | -10 per vulnerability |
| High severity (CVSS 7.0-8.9) | -5 per vulnerability |
| Medium severity (CVSS 4.0-6.9) | -2 per vulnerability |
| Low severity (CVSS 0.1-3.9) | -0.5 per vulnerability |
| Fix available but not applied | -1 per vulnerability |
KEV vulnerabilities and critical CVEs have the largest impact because they represent the highest real-world risk.
Compliance Score
Weighted average of all compliance framework scores assigned to the agent through its tags. If no frameworks are assigned, the score defaults to 100.
Frameworks with critical failures are weighted more heavily. A framework reporting multiple critical failures counts more in the average than one with only minor non-compliance.
Update Score
Starts at 100 and deducts points for pending updates and stale check-in data:
| Factor | Penalty |
|---|---|
| Pending Windows/system update | -4 per update |
| Pending application update | -2 per update |
| Software needing updates | -1 per package |
| No update check in 7+ days | -5 |
| No update check in 14+ days | -10 additional |
| No update check in 30+ days | -20 additional |
Agents that have not checked for updates recently receive escalating penalties.
Network Exposure Score
Starts at 100 and deducts points based on exposed ports and firewall state.
If the firewall is disabled, the network score is automatically 0. This reflects the critical importance of having a host firewall active.
When the firewall is enabled, points are deducted per exposed port based on risk level:
| Port Risk Level | Penalty |
|---|---|
| Critical (e.g., Telnet, FTP) | -25 per port |
| High (e.g., RDP, SMB internet-exposed) | -15 per port |
| Medium | -5 per port |
Port risk is context-aware. A port that is only accessible on localhost or blocked by the firewall has no impact. The same port exposed to the internet is penalized based on the service type.
Viewing Health Scores
Agent Detail Page
Navigate to any agent and select the Health tab to see:
- Overall score gauge: Circular gauge showing the 0-100 score with status label
- Category cards: Four cards for Vulnerabilities, Compliance, Updates, and Network, each showing their individual score and key metrics
- 30-day trend chart: Area chart showing score history with toggleable series for overall and each category
- Fix These First: A prioritized list of the most impactful remediation actions, ranked by severity. Items link directly to the relevant tab for that agent.
- History panel: Timeline of score-impacting events over the last 30 days (e.g., "New critical vulnerability detected", "3 pending updates installed")
Fleet Summary
The agent list shows each agent's health score, allowing you to sort and filter by health status. The endpoints table includes a health score column to quickly identify agents that need attention.
Trend Analysis
The system tracks daily health scores for 30 days and calculates a trend:
| Trend | Condition |
|---|---|
| Improving | Score increased by more than 0.5 points over the period |
| Stable | Score changed by less than 0.5 points |
| Declining | Score decreased by more than 0.5 points |
| New | Agent has less than 7 days of history |
Trends require at least 7 days of data to avoid false signals during the initial assessment period.
Configuring Weights
Navigate to Settings > Health Scoring to adjust how much each category contributes to the overall score.
- Weight sliders: Adjust the weight of each category. Weights automatically balance to total 100%.
- High-risk port configuration: Define which ports are considered critical, high, or medium risk for the network exposure calculation.
For example, if your organization prioritizes compliance over vulnerability patching, you could increase the Compliance weight and decrease the Vulnerability weight. The default weights reflect a security-first posture where known vulnerabilities carry the most impact.
Prioritized Actions
The "Fix These First" section on the Health tab generates up to 7 actions ranked by impact:
- CISA KEV vulnerabilities (sorted by remediation due date)
- Critical CVEs without KEV designation
- Critical and high-severity compliance failures
- High-risk network port exposures
Each action includes a severity indicator and links directly to the relevant section of the agent detail page where you can take corrective action.