Firstly, we categorize our findings into three security best practice areas: insufficient hardening, missing patching and unnecessary exposure.  

Then, we classify the vulnerabilities based on severity and business impact: 

+ Severity 4: Instantly exploitable vulnerabilities 

+ Severity 3: Exploit fragment that can be used to craft a successful attack 

+ Severity 2: Vulnerability that may reveal sensitive information to enable further attackers 

+ Severity 1: Best practice deviation 

Afterwards, we use a proprietary formula to calculate the Hackability Score per finding type. 

Finally, we calculate the absolute Hackability Score which is the sum of the individual Hackability across all assets. Then, we normalize this Hackability Score based on the number of exposed services to compare organizations within industries.