What does a score of 0 mean?

A score of 0 means severe exposure detected across multiple surfaces. This doesn't mean your business has been breached — it means there are critical security gaps that should be addressed immediately.

Above 70 is good — it means low exposure with room for improvement. Above 90 is excellent. Below 40 needs immediate attention.

How often should I re-scan?

At least monthly. Employee turnover, new AI tool adoption, and configuration changes can all affect your score. Growth plan users can set up automated daily scans.

Why did my score change?

Scores change when: you fix findings (score goes up), new breaches are discovered (score goes down), you connect new integrations (score may go down as new surfaces are scanned), or employee behaviour changes.

Understanding Your Exposure Score

How your 0–100 exposure score is calculated across five attack surfaces.

7 April 2026·5 min read

What the score means

Your exposure score runs from 0 (severe exposure across multiple surfaces) to 100 (no detectable exposure). It's calculated as a weighted average of five surface scores.

The score is not a security rating — it's an exposure indicator. A low score means your business data is more accessible to unauthorised parties than it should be.

How it's calculated

Each surface is scored independently (0–100), then combined using these weights:

File Sharing: 30% — publicly shared files, external access grants
Credentials: 25% — employee emails found in breach databases
AI Tool Access: 25% — shadow AI tools with OAuth access to company data
Email Security: 10% — SPF, DKIM, DMARC configuration
External Surface: 10% — subdomains, SSL certificates, DNS

Within each surface, findings are weighted by severity: critical findings have 10× the impact of low findings.

Severity levels

Critical: immediate action required — breached credentials with recent exposure, publicly shared sensitive files, or missing email authentication allowing spoofing
High: address this week — older breached credentials, broad OAuth scopes on AI tools, or weak email security configuration
Medium: address this month — external shares without expiry, medium-risk AI tool access, or partial email security
Low: address when convenient — informational findings, minor configuration improvements

Correlated risks

Governably connects findings across surfaces to identify compound risks. For example:

An employee with breached credentials who also granted an AI tool access to company files
No DMARC policy combined with breached employee emails (high phishing risk)
A publicly shared file owned by an employee with breached credentials

Correlated risks are typically rated one severity level higher than their individual components.

Improving your score

Fix critical findings first: use the remediation plan (Starter plan) for prioritised steps with direct admin console links
Connect more integrations: scanning all five surfaces gives you a complete picture
Govern your AI tools: approve, flag, or block discovered tools (Growth plan)
Re-scan regularly: monthly at minimum, weekly for active remediation