Security Score

Every audit produces a security score — a letter grade (A+ through F) that summarizes the engagement at a glance. The score is what executives, auditors, and dashboards see first.

How it’s calculated

Each audit starts at a perfect 100. Findings deduct points based on severity:
SeverityDeduction
Critical−30 points
High−15 points
Medium−8 points
Low−3 points
Informational0 points
The final numeric score maps to a letter grade:
ScoreGrade
97–100A+
93–96A
90–92A−
87–89B+
83–86B
80–82B−
77–79C+
73–76C
70–72C−
60–69D
0–59F
The score floor is 0 — multiple criticals don’t push it negative.

Example calculations

FindingsScoreGrade
0 findings100A+
3 Medium, 2 Low70C−
1 High, 4 Medium, 6 Low35F
2 Critical, 1 High25F
5 Low85B

What the score is and isn’t

The score is good for:
  • One-line summaries in dashboards, Slack notifications, and PDF covers
  • Trend tracking across recurring audits
  • Risk-tier classification across many workspaces (MSSP use case)
The score is not:
  • A substitute for reading the findings
  • A measure of total risk (one critical finding can be catastrophic regardless of score)
  • A comparison metric between different products (an A on one app doesn’t mean it’s “more secure” than a B on another with a different surface)

Score in the API

The score is returned with every audit: 
{
  "audit": {
    "id": "audit_abc123",
    "status": "completed",
    "score": 65,
    "grade": "D",
    "findingCount": 14,
    "severityBreakdown": {
      "critical": 1,
      "high": 2,
      "medium": 4,
      "low": 6,
      "informational": 1
    }
  }
}

Tracking over time

The workspace dashboard plots score trend across all audits run against the workspace. Use this to:
  • Verify remediation progress sprint over sprint
  • Detect regressions when new releases introduce findings
  • Demonstrate continuous improvement to stakeholders