Melurna Risk Score Guide
By Melurna
in Knowledgebase
(Version 1.1 – for external use)
1. How the scoring scale works
| Score Band | Name* | What it means at a glance |
| 521 – 600 | Elite | World-class posture, only fine-tuning needed |
| 481 – 520 | Strong | Solid controls; review minor gaps |
| 361 – 480 | Average | Okay, Improvement recommended |
| 281 – 360 | Caution | Cautious risk exposure; prompt remediation |
| 90 – 280 | Critical | High risk; immediate action required |
All five component scores and the overall score use the same 90-600 range, so customers can compare them directly. The Overall Risk Score is the simple average of the five component scores described below.
2. Component Scores
| Component | What it measures | Key drivers that raise or lower the score |
| Network Security | The trustworthiness of IP addresses and networks your web or mobile properties communicate with. | • Volume of low-, medium-, high- and very-high-risk IPs |
| • ASN exposure (risky networks) | ||
| • Ratio of first-party vs. third-party IPs | ||
| Availability (Business Continuity) | How reliably your digital services respond without errors. | • Uptime percentage |
| Compliance | Alignment of your data handling with privacy & security obligations. | • How often PII, CPD, HSD, etc. traverse borders |
| • Contacts with medium / high-risk IPs | ||
| • Use of non-standard ports, plain HTTP, or non-443/80 traffic | ||
| Geographical Risk | The degree to which sensitive data leaves its country of origin. | • Cross-border transmissions of PII, and other sensitive data |
| Data Security | Volume and sensitivity of data collected and disclosed. | • Counts of each data class collected |
| • How often each class is sent to third-parties | ||
3. Interpreting the Overall Risk Score
- Elite (521–600): Benchmark performance. Maintain controls and monitor for drift.
- Strong (481–520): Good posture with isolated weaknesses; address them for Elite status.
- Moderate (361–480): Balanced risks; prioritize improvements in the lowest-scoring components.
- Caution (281–360): Noticeable exposure. Develop a remediation roadmap and track progress.
- Critical (90–280): Elevated likelihood of breach, downtime, or non-compliance. Immediate, cross-functional response recommended.
4. Why the scores matter
- At-a-glance risk communication for executives and boards.
- Prioritized remediation by pinpointing which component drags the total score down.
- Benchmarking over time—see how policy or architecture changes move the needle.
- Third-party oversight—compare your posture with vendors and partners using the same scale.
5. Frequently asked questions
- Why 90–600?
We are working on adjusting the scoring. The range provides enough resolution for meaningful changes while aligning to scoring familiar to many stakeholders. - Does a single bad component always tank the Total Score?
Because the Total is an average, one severely low component will pull the overall score down—but it also highlights exactly where to act first. - How often are scores updated?
Scores refresh each time a new scan is ingested, ensuring they reflect the most current data flows and infrastructure state.