Understanding Score and Severity

  • Updated on Jan 7, 2026
  • Published on Jan 7, 2026
  • 1 minute(s) read
Prev Next

ControlUp for Compliance uses a security scoring system to help you identify trends in your environment and high-risk issues to address. Scores are ranked between 0-10 (higher is better).

  • Organization score - On the Overview dashboard, you can see the overall security score for your environment as a whole. This score is based on all the other scored listed below.

  • Issue score - An issue’s score is based on:

    • The number of devices affected by the issue.

    • The issue severity. The severity of each issue is determined using external resources and our own assessment. For example, compliance issues such as missing antivirus software typically have a higher severity (causing a lower security score) than vulnerabilities (CVEs).

  • Device score - A device’s score is based on:

    • The number of issues detected on the device, and the severity of each issue.

    • The attack surface exposed by the issues. For example, a device’s score will be lower if there are 10 issues affecting 10 different applications than if there are 10 issues affecting a single application.

  • User score - A user’s score is based on:

    • The device score of the devices they use.

    • The security of the applications they access (available only if User Risk Analytics is enabled).

    • The authentication methods used to access applications (available only if User Risk Analytics is enabled).

  • Application score - An application’s score is based on:

    • The number of different versions affected by an issue.

    • The number of devices with the application installed.

    • The severity of the application’s issues.

Notes

  • Scores can change even when you don’t actively change anything. For example, a Template might detect a newly published CVE affecting already installed applications, lowering your security score.

  • When an issue is remediated, the security score might not change until the next time the Template runs a verification scan to confirm that the fix is successful.

  • Missing application patches with no known CVEs do not contribute to the security score, because there is no known risk with using the older version.