.png?height=120&name=Orpheus-Logo-Landscape%20(2).png){kind=logo}
High score = bad, low score = good
Your overall risk rating is created from a vulnerability score and a threat score. Your vulnerability score is based on an external view of the company’s attack surface. This is all publicly available information. We do not pen-test your systems, or access any internal information.
The vulnerability score is compromised of the following factors:
- Critical unpatched vulnerabilities present: Critical CVEs will be flagged on the report as a Critical Infrastructure Vulnerability, and have a greater impact
- Unpatched vulnerabilities present
- Open ports: We detect any/all discoverable open ports.
- Email security: We detect SPF and DMARC settings, or their absence of.
- Database instances: We detect any open ports suspected to be database instances, which are an attractive target for threat actors to perform credential stuffing.
- Possible remote desktop access: We detect any open ports suspected to be remote-desktop applications, which would represent an attractive target for threat actors.
- Expired Certificates: Instances where the proper SSL certificate has expired.
- Breached Credentials: Any email credentials detected in publicly available data breaches online
These factors are weighted depending on how severe they are. Orpheus bases that weighting on threat actor activity and so the way we calculate the score may change if we notice a change in threat actor tactics.