What score indicates a serious risk?

Scores above 7.0 indicate findings that pose a real risk of business harm — customer data exposure, regulatory breach, or significant service disruption. Scores above 9.0 indicate critical findings that warrant immediate remediation. Scores below 4.0 indicate lower-priority findings that can be addressed in routine maintenance cycles.

Is the Business Impact Score the same as CVSS?

No. CVSS scores a vulnerability's inherent technical severity in isolation. The Business Impact Score contextualises severity against your specific infrastructure: how critical is the affected asset, what data is at risk, what compliance controls are affected, and how does this finding relate to other findings in your environment. A high CVSS finding on a non-critical asset may have a lower BIS than a medium CVSS finding on a customer-facing authentication service.

Feature

Business Impact Score: Risk in Language a Founder Can Act On

Q: What is a Business Impact Score?

A Business Impact Score (BIS) is a 0–10 rating that translates the technical severity of a vulnerability finding into a business risk assessment. Unlike CVSS, which scores vulnerabilities in isolation, the BIS accounts for asset criticality, data exposure risk, compliance impact, and the specific context of your infrastructure.

Quick Answer: VeilScan's Business Impact Score (BIS) is a 0–10 rating per finding and per scan that translates technical severity into business risk. It weights technical severity, asset criticality, data exposure risk, compliance impact, and attack path context. Scores above 7.0 indicate real risk of business harm. The BIS is designed for CTOs and founders — not security analysts.

Why is CVSS not enough for business decision-making?

CVSS (Common Vulnerability Scoring System) rates the inherent severity of a vulnerability independent of context. A CVSS 9.8 finding sounds alarming — but if it is on a test server that does not handle customer data, the actual business risk may be low. A CVSS 5.0 finding on a customer-facing authentication endpoint that handles payment data may be far more dangerous in practice.

CVSS scores were designed for security analysts who can layer context on top of the number. A CTO or founder reading a list of CVSS scores without that expertise cannot make reliable prioritisation decisions.

How is the Business Impact Score calculated?

The BIS is calculated by weighting four factors:

Technical severity — the underlying CVSS score or equivalent severity assessment of the vulnerability type
Asset criticality — the importance of the affected asset: customer-facing production services score higher than test subdomains or internal tooling
Data exposure risk — whether the finding could expose personally identifiable information, credentials, payment data, or trade secrets
Compliance impact — whether the finding affects specific controls in ISO 27001, SOC 2, GDPR Article 32, PCI DSS, or Cyber Essentials

When a finding is part of an attack path, the BIS is also adjusted upward to reflect the amplified risk of the chain as a whole.

What do the BIS ranges mean?

8.0–10.0 — Immediate action required: findings that pose a direct, confirmed risk of customer data exposure, regulatory breach, or significant service disruption
6.0–7.9 — Fix in current sprint: findings with meaningful business risk that should be addressed in the near term
4.0–5.9 — Schedule for remediation: findings that carry some risk but can be addressed in regular maintenance cycles
0–3.9 — Monitor and log: informational findings and low-priority misconfigurations with minimal business impact

How does the BIS help with board reporting?

The scan-level BIS (the overall score for your entire scan) is designed for board and executive communication. A single number from 0 to 10 — with clear language about what it means — is easier to communicate than a list of CVSS scores.

Each PDF report includes the BIS prominently in the executive summary. Delta reports show the BIS trend over time: whether your security posture is improving (BIS decreasing) or degrading (BIS increasing). This gives boards and investors a clear, auditable record of security improvement.

See: What is a Business Impact Score? · What is a CVSS Score? · PDF Reports feature

What are the most common questions?

Is the Business Impact Score available on the free plan?

The free plan includes a Business Impact Score preview — the overall scan BIS is visible. Individual per-finding BIS scores for Critical and High findings are locked until you upgrade. Medium and Low findings include their BIS on the free plan. See all plans.

Can I dispute a Business Impact Score?

If you believe a BIS is inaccurate for your specific environment — for example, if the affected asset is a decommissioned test server — contact support@veilscan.net with your scan ID and the finding in question. The BIS is a risk indicator, not a compliance assertion, and context you provide may lead to a revised assessment.

How does the BIS change between scans?

Each scheduled rescan calculates a fresh BIS for the full domain. Delta reports show the BIS change since the last scan. A decreasing BIS across scans demonstrates measurable security improvement — useful for compliance evidence and board reporting.

See your Business Impact Score. The free scan includes a BIS preview for your domain — no credit card required. Start your free scan → · Back to all features