External Risk Confidence Score

The External Risk Confidence Score (ERCS) in cybersecurity is a metric used to systematically assess the reliability and verified severity of threat intelligence and risk findings gathered from outside an organization's network, such as the open internet, the deep web, or third-party reports. It is a layer of metadata applied to a risk finding to help security teams prioritize their response, not just on the potential impact of a vulnerability, but also on the certainty that the vulnerability is real, exploitable, and associated with a malicious entity.

Purpose and Rationale

The primary purpose of the ERCS is to combat alert fatigue and improve the efficiency of security operations by ensuring teams focus on highly validated external risks.

• Prioritization: It moves a security team beyond simply prioritizing based on CVSS (vulnerability severity) to prioritizing based on certainty of malicious intent or exploitability. A high ERCS means the threat is likely credible and requires immediate action.

• Validation: It provides a mechanism to confirm whether an external finding—such as a leaked credential or a reported open port—is a genuine exposure or a false positive generated by a monitoring system.

Components of an ERCS

An effective ERCS is derived from a weighted analysis of multiple, converging data points that validate the existence and severity of the external risk. Key components typically include:

1. Source Credibility

This factor assesses the reliability of the intelligence source itself.

• High Confidence: Intelligence sourced from known, verified security researchers, government agencies, or proprietary, proven dark web monitoring feeds.

• Low Confidence: Information sourced from unverified social media chatter, questionable public forums, or ambiguous dark web mentions.

2. Corroboration (Converging Evidence)

This measures the number of distinct, independent findings that point to the same risk.

• High Confidence: A public-facing server showing a critical vulnerability and a known-exploited exploit (like a KEV listing) and an exposed credential linked to that server found on a dark web forum. Multiple sources validate the same risk.

• Low Confidence: A single, isolated finding, such as an internal system reporting a potential weak configuration that has no external proof or public mention.

3. Exploitability and Confirmation

This factor is the most technical and directly addresses the likelihood of attack.

• High Confidence: Confirmation that a known Proof-of-Concept (PoC) exploit exists for the identified vulnerability, or a malicious domain has an active Mail Exchange (MX) record, confirming its setup for phishing.

• Low Confidence: A theoretical vulnerability that lacks active exploit code or real-world use.

4. Recency

The age of the finding matters, as older information is less reliable.

• High Confidence: A vulnerability or compromised credential discovered within the last 48 hours.

• Low Confidence: A credential found in a data dump that is several years old.

The final ERCS is often presented as a numerical score or a simple tiered rating (High, Medium, Low) that accompanies the risk finding in reports, guiding the user on how much faith to place in the discovery.

ThreatNG is uniquely positioned to calculate and provide the necessary inputs for an External Risk Confidence Score (ERCS) by converging multiple external threat intelligence sources and validation checks. It moves beyond raw data to provide verified, actionable risk context —the essence of an ERCS.

Building the ERCS with ThreatNG

ThreatNG's capabilities directly map to the core components required to establish a high ERCS: source credibility, corroboration, exploitability, and recency.

External Discovery and Continuous Monitoring

ThreatNG performs purely external, unauthenticated discovery and continuous monitoring, providing the initial, foundational data stream for an ERCS by tracking the external attack surface.

• Example of ThreatNG Helping (Recency): ThreatNG's Continuous Monitoring detects the sudden appearance of a new, unknown asset, such as an exposed IP address or a new subdomain with an exposed port, via Subdomains intelligence. The recency of this discovery is a direct, positive factor in the ERCS, signaling an active change in the attack surface that warrants immediate attention.

External Assessment (Security Ratings)

The security ratings act as high-level ERCS proxies, while the underlying findings provide the specific evidence for corroboration.

• Cyber Risk Exposure Security Rating: This rating is based on converging evidence across multiple domains, increasing confidence in the risk finding.

• Detailed Example (Corroboration): A finding that contributes to the Cyber Risk Exposure rating, such as a missing DMARC and SPF record, is corroborated by another finding of Compromised Credentials. The simultaneous discovery of both a weak defense mechanism and evidence of active credential exposure provides multiple converging data points, resulting in a higher ERCS for the overall risk profile.

• Breach & Ransomware Susceptibility Security Rating: This rating assesses the severity and threat actor involvement, which affect source credibility and exploitability.

• Detailed Example (Corroboration and Exploitability): The rating is derived from Ransomware Events and Exposed Ports findings on subdomains. The discovery of an exposed port is corroborated by intelligence linking it to a known Ransomware Event. This convergence of a technical finding with a threat actor event automatically boosts the ERCS, confirming the high likelihood of an active, targeted threat.

Investigation Modules

The investigation modules are key to establishing the ERCS through Exploitability and Confirmation by linking vulnerabilities to direct proof.

• Known Vulnerabilities: ThreatNG explicitly cross-references discovered assets and technologies with its intelligence repository, integrating multiple sources to validate risk.

• Detailed Example (Exploitability/Confirmation): An investigation confirms a discovered vulnerability by simultaneously referencing NVD (for technical details), KEV (to confirm active exploitation), EPSS (to predict future likelihood), and verified Proof-of-Concept Exploits. The existence of an active KEV listing and a verified PoC Exploit linked to the finding drives the ERCS to the highest level, signaling a near-certain, immediate threat.

• Sensitive Code Exposure: This module directly confirms the exposure of sensitive, high-value secrets, which validates the risk.

• Detailed Example (Corroboration and Exploitability): The discovery of a GitHub Access Token or AWS Secret Access Key within a public repository via Code Repository Exposure gives a finding a high ERCS. The discovery is not a mere theoretical flaw; it is a confirmed, actionable secret that can be immediately used for lateral movement or data exfiltration.

Intelligence Repositories

The DarCache repositories provide the validated, high-credibility intelligence sources required for a strong ERCS.

• DarCache Vulnerability (KEV/EPSS/PoC): This repository serves as a central repository for the exploitability component of the ERCS.

• Example of ThreatNG Helping (Exploitability): If a vulnerability has a low NVD score but a high EPSS score (a probabilistic estimate of the likelihood of exploitation) and a Verified Proof-of-Concept (PoC) Exploit, the risk finding receives a dramatically higher ERCS. This allows the security team to prioritize a vulnerability based on its confirmed real-world threat, not just its theoretical technical score.

• DarCache Ransomware: The source credibility component of the ERCS is enhanced when a finding is linked to a tracked ransomware group.

• Example of ThreatNG Helping (Source Credibility): The discovery of an exposed private IP is given a higher ERCS if DarCache Ransomware intelligence is correlated, indicating the organization is being tracked by one of the Over 70 Ransomware Gangs. The finding transitions from a general vulnerability to an actively managed threat.

Complementary Solutions

ThreatNG's high-confidence, externally validated findings can be cooperatively used with other internal security tools to refine their prioritization.

• Security Operations (SOAR) Platforms: ThreatNG generates the high-confidence ERCS, and the SOAR platform executes automated response workflows based on that score.

• Example of ThreatNG and Complementary Solutions: ThreatNG detects a Compromised Credential and verifies it has an extremely high ERCS because the credential is fresh (Recency) and is being actively discussed on a verified DarCache Dark Web forum (Corroboration/Source Credibility). This high-ERCS finding is sent to the SOAR platform, which automatically skips standard triage steps and executes an immediate, high-priority workflow to force a password reset and block the user's access, saving valuable time.

• Vulnerability and Risk Management (VRM) Tools: ThreatNG complements internal scanners by validating external exploitability, which the internal tools cannot achieve.

• Example of ThreatNG and Complementary Solutions: An internal VRM tool flags a high volume of vulnerabilities. ThreatNG compares those vulnerabilities against its intelligence. Suppose ThreatNG determines a specific vulnerability has a high ERCS due to a KEV match. In that case, this ERCS is pushed to the VRM tool, overriding the internal risk score and prioritizing the remediation of that specific, externally confirmed, exploitable vulnerability.