S4E categorizes every finding into one of five severity levels. Severity helps you prioritize remediation efforts by focusing on the issues that pose the greatest risk to your organization.
Severity Scale
| Level | CVSS Range | Color | Description |
|---|---|---|---|
| Critical | 9.0 -- 10.0 | Purple | Immediate exploitation risk. Can lead to full system compromise. |
| High | 7.0 -- 8.9 | Red | Significant risk. Exploitation is likely and impact is severe. |
| Medium | 4.0 -- 6.9 | Orange | Moderate risk. Exploitation requires specific conditions. |
| Low | 2.1 -- 3.9 | Green | Minor risk. Limited impact or difficult to exploit. |
| Info | 0 - 2.0 | Blue | Informational. No direct security impact but worth awareness. |
Critical Severity
Critical findings represent vulnerabilities that can be exploited immediately with severe consequences.
Characteristics:
- Remote code execution (RCE).
- Authentication bypass affecting all users.
- SQL injection with data exfiltration potential.
- Known actively exploited CVEs (CISA KEV listed).
- Default or publicly known credentials on production systems.
Expected response time: Immediate. Begin remediation within hours.
Warning
Critical findings should trigger your incident response process. Consider taking affected systems offline if exploitation is imminent.
High Severity
High-severity findings represent serious vulnerabilities that are likely to be exploited.
Characteristics:
- Cross-site scripting (XSS) with session hijacking potential.
- Server-side request forgery (SSRF).
- Insecure deserialization.
- Privilege escalation vulnerabilities.
- Exposed sensitive data (API keys, credentials in source code).
Expected response time: Within 24--72 hours.
Medium Severity
Medium-severity findings are exploitable under certain conditions or have a limited blast radius.
Characteristics:
- Missing security headers (HSTS, CSP, X-Frame-Options).
- Verbose error messages disclosing internal information.
- Directory listing enabled.
- Outdated software with known but non-critical vulnerabilities.
- Weak TLS cipher suites.
Expected response time: Within 1--2 weeks.
Low Severity
Low-severity findings have minimal security impact or are difficult to exploit in practice.
Characteristics:
- Information disclosure with limited value.
- Minor cookie configuration issues (missing
SameSiteattribute). - Non-standard HTTP methods enabled.
- Deprecated protocol support.
Expected response time: Within 30 days or next maintenance window.
Info
Informational findings carry no direct security risk but may be relevant for security awareness or best practices.
Characteristics:
- Technology version disclosure.
- DNS configuration recommendations.
- Performance-related observations.
- Best practice suggestions.
Expected response time: Address at your discretion.
CVSS Scoring
S4E uses the Common Vulnerability Scoring System (CVSS) v3.1 standard to calculate numeric scores. CVSS evaluates vulnerabilities across three metric groups:
Base Metrics
| Metric | Measures |
|---|---|
| Attack Vector (AV) | How the vulnerability is exploited (Network, Adjacent, Local, Physical) |
| Attack Complexity (AC) | Conditions required for exploitation (Low, High) |
| Privileges Required (PR) | Authentication level needed (None, Low, High) |
| User Interaction (UI) | Whether user action is needed (None, Required) |
| Scope (S) | Whether the impact extends beyond the vulnerable component |
| Confidentiality (C) | Impact on data confidentiality (None, Low, High) |
| Integrity (I) | Impact on data integrity (None, Low, High) |
| Availability (A) | Impact on system availability (None, Low, High) |
Environmental Adjustments
S4E adjusts CVSS scores based on your asset context:
- Asset criticality -- Critical assets receive a score boost.
- Exposure -- Internet-facing assets score higher than internal ones.
- Compensating controls -- Known mitigations can adjust the effective score.
Severity in Security Scoring
The aggregate security score for an asset is influenced by:
- The count and severity of open findings.
- The age of unresolved findings (older findings weigh more heavily).
- Asset criticality level.
- Whether findings have known exploits in the wild.
What's Next?
- Understanding Findings -- Full anatomy of a finding.
- Finding Status -- Track findings through their lifecycle.
- Managing False Positives -- Handle incorrect detections.