Risk Scoring - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Learn about Cortex Xpanse risk scores and how they are calculated.

In Cortex Xpanse Expander you can prioritize incidents and quantify your organization's risk trends using risk scoring. By default, Expander assigns a base risk score (called the Xpanse Risk Score) to every incident. Expander calculates this risk score using the threat and exploit intelligence relevant to the CVEs on the related service or website (based on active classifications or web technologies) for an incident. When the alerts change (for example, if an alert is resolved or a new alert is created) or if the underlying risks change, Expander recalculates and updates the risk score .

The Xpanse Risk Score calculation is based on a number of factors, including the following:

  • The EPSS and CVSS scores of the inferred CVEs on the related service or website

  • Whether the inferred CVEs were weaponized or exploited in the wild

  • How recently the inferred CVEs were exploited

  • The presence of these Risk Factors

  • Attack surface test results—"Confirmed Vulnerable" attack surface test results associated with an incident increase the risk score. Negative attack surface test results on one or more alerts associated with an incident are removed from the calculation of an incident's risk.

In addition to the Xpanse Risk Score that is assigned to each incident, you can also create custom risk-scoring rules that adjust the Xpanse Risk Score or manually assign a risk score. These flexible approaches to risk scoring enable you to prioritize incidents based on the specific requirements of your organization. See Customize Risk Scoring for instructions on how to enable or disable Xpanse Risk Scoring, how to create or edit custom User Scoring Rules, or how to manually assign a risk score.

The risk score is displayed on the Incidents page in the Incidents list and in the incident details pane. Click on the score to open the Manage Risk Score dialog box, where you can view the User Scoring Rules for this incident or set the risk score manually.


By default, the incident list is sorted by risk score, and you can also filter incidents on risk score.

Incident Risk Details

Expander provides detailed information about the risks associated with an incident on the Risk tab of the incident details pane. The Risk Details section includes information about the top three inferred CVEs impacting the risk score and a listing of the Risk Factors associated with the alerts in the incident.