Skip to main content

FullHunt Asset Security Score

Introduction

This document provides a comprehensive security evaluation framework for internet-facing assets managed by FullHunt. The FullHunt Asset Security Score methodology systematically identifies high-risk assets that could expose organizations to cyber threats through quantitative risk assessment.

The Asset Security Score Framework is developed and owned by FullHunt.

Asset Score Methodology

Each asset begins with a baseline score of 100 points. The final asset score is calculated by deducting points based on identified security risks and configuration issues according to the criteria outlined below.

Scoring Criteria

Service and Port Configuration:

  • Non-standard Port (-10 points): Services running on non-standard ports may indicate misconfigurations or deliberate obfuscation
  • Non-standard Service (-5 points): Non-standard HTTP/HTTPS/TCP services that deviate from expected implementations

Vulnerability Assessment:

  • Critical Vulnerability (-30 points): Critical-severity vulnerabilities with immediate exploitation potential
  • High Vulnerability (-20 points): High-severity vulnerabilities requiring urgent remediation
  • Medium Vulnerability (-10 points): Medium-severity vulnerabilities with moderate risk exposure
  • Low Vulnerability (-5 points): Low-severity vulnerabilities with minimal direct risk
  • Open Vulnerability (-10 points): Any confirmed open vulnerability regardless of initial severity classification

DNS Configuration Issues:

  • Unknown MX Record (-5 points): Mail exchange records not associated with the primary domain
  • Delegated NS Record (-5 points): Name server records not tied to the primary domain infrastructure
  • Unknown TXT Record (-5 points): Text records without clear association to the primary domain
  • Delegated CNAME Record (-5 points): Canonical name records pointing to external domains

Security Grade Scale

The calculated asset scores are mapped to letter grades providing intuitive risk assessment:

GradeScore RangeRisk Level
A+95-100+Minimal Risk
A90-94Low Risk
A-85-89Low-Moderate Risk
B+80-84Moderate Risk
B75-79Moderate-High Risk
C+70-74High Risk
C65-69High Risk
D60-64Very High Risk
FBelow 60Critical Risk

Implementation Notes

The scoring framework is designed to provide actionable intelligence for security teams to prioritize remediation efforts based on quantified risk exposure.