Explaining Autobahn Security’s Hackability Score
The Hackability Score gives an indication of the effort a hacker would go through when trying to break into your organization.
The higher the score, the more likely it is that an adversary can do harm. The value is updated hourly. The number on the chart from the previous day stores the last value on that day before midnight.
How is the Hackability Score calculated?
First, we categorize our findings into three security best practice areas: insufficient hardening, missing patching, and unnecessary exposure.
Then, we classify the vulnerabilities based on severity and business impact:
- Severity 4: Instantly exploitable vulnerabilities
- Severity 3: Exploit fragment that can be used to craft a successful attack
- Severity 2: Vulnerability that may reveal sensitive information to enable further attacks
- Severity 1: Best practice deviation
Afterward, we use a proprietary formula to calculate the Hackability Score per finding type.
Finally, we calculate the absolute Hackability Score which is the sum of the individual Hackability across all assets. Then, we normalize this Hackability Score based on the number of exposed services to compare organizations within industries. Finally, we we normalize the score further by using a specific exponential transformation, which ensures that the final Hackability Score falls within a bounded range of 0 to 100, making it easier to compare across different organizations.
Hackabilty Score breakdown
The goal of Hackability Score is to aim for the lowest score possible, as this indicates the strongest security.
Here’s a breakdown of the scores and what they mean:
- World-class (Score < 10): Your security is excellent.
- Satisfactory (Score 10 – 25): Your security is good, but there’s room for improvement.
- Needs improvement (Score 26 – 69): Your security has significant gaps that need to be addressed.
- Unsatisfactory (Score 70): Your security is poor and a major risk.
We recommend aiming for a score lower than 26 to ensure your company’s security is in a satisfactory or world-class state.
What Causes the Score to Go Up?
You can expect the score to go up if you:
- Mark a workout as “To do”
- Mark an issue as “Active”
- Add an asset with an issue of critical, high, or medium severity on it
The score can also go up if the Autobahn Security platform:
- Marks an issue as “New” or “Resurfaced” after a scan completes
- Discovers an asset and, after import and scanning, finds an issue of critical, high, or medium severity on it
- Changes the issue severity classification of a specific issue based on real-time hacking insights (e.g., from low to high)
What Causes the Score to Go Down?
You can expect the score to go down if you:
- Mark a workout as “Done”
- Mark an issue as “Remediated,” “Risk accepted,” or “False positive”
- Add an asset that has no issues on it
The score can also go down if the Autobahn Security platform:
- Marks an issue as “Remediated” after scanning when certain conditions are met (same scan type, same asset, and asset available/alive)
- Discovers an asset and, after import and scanning, doesn’t find any issues on it
- Changes the issue severity classification of a specific issue based on real-time hacking insights (e.g., from high to low)
How Asset Prioritization Affects the Hackability Score
Beyond raw vulnerability data, the Hackability Score is also shaped by how important an asset is to your organization. Two independent prioritization mechanisms — Asset Tag Prioritization and Asset Criticality — act as multipliers on each issue’s contribution to the score. Both are applied separately and their effects compound.
Asset Tag Prioritization
Assets can be assigned multiple tags (e.g., “Database,” “Critical App,” “Web Server”) to reflect their role or context. Each tag carries its own prioritization factor configured per organization.
Because an asset can have several tags simultaneously, their factors are multiplied together to produce a single combined adjustment for that asset. This means the more relevant tags an asset has, the greater the compounding effect each of its issues will have on the Hackability Score.
Example: an asset tagged both “Database” and “Web Server” will have both tag factors multiplied together, amplifying the weight of any issues found on it.
Asset Criticality
Each asset can have a criticality level assigned to it — either manually or via import/integration. The supported levels are, for example: Not set, Moderate, Substantial, and Critical.
Since each asset has only one criticality level at a time, its prioritization factor is applied directly to that asset’s issues — no combination calculation is needed.
The Asset Criticality factor is configured per organization and, once set, automatically influences the Hackability Score recalculation for affected assets.
How the Two Multipliers Work Together
Both the Asset Tag Prioritization and the Asset Criticality Factor are numeric multipliers applied during the Hackability Score calculation. They are independent — one does not replace or override the other. When both are present on an asset, both multipliers are applied, capturing two distinct dimensions of importance:
| Asset Tag Prioritization | Asset Criticality Factor | |
|---|---|---|
| How many values per asset? | Multiple tags possible | Single criticality level |
| How combined? | Product of all tag factors | Direct single value |
| What it reflects | Functional role and context | Organizational criticality ranking |
In summary: tag factors are multiplied together because multiple tags can apply simultaneously; the criticality factor is used directly because only one criticality level exists per asset. Both adjustments then compound to determine the final weight of each issue on the Hackability Score.
Tip: Assigning accurate criticality levels to your assets — especially for business-critical systems — ensures the Hackability Score better reflects your organization’s actual risk exposure, helping you prioritize remediation more effectively.