Destination Breadth
The Destination Breadth factor measures how wide the destination address range is. This factor carries a higher default cap than Source Breadth because destination breadth directly indicates blast radius - the number of hosts an attacker could reach if the flow is exploited.
Default max contribution: 30 points.
Scoring table
| CIDR Prefix | Base Points | With Public IP Bonus (+5) | Example |
|---|---|---|---|
| /0 (any) | 30 (max) | - | 0.0.0.0/0 |
| /1 - /8 | 25 | 30 | 8.0.0.0/8 |
| /9 - /16 | 18 | 23 | 172.16.0.0/16 |
| /17 - /24 | 10 | 15 | 192.168.1.0/24 |
| /25 - /31 | 5 | 10 | 10.0.0.0/28 |
| /32 (host) | 0 | 5 | 8.8.8.8 |
Public IP bonus
A +5 point bonus is added when the destination address is a public IP. The bonus is larger than the source equivalent (+3) because exposing services to or toward public destinations carries greater risk.
The same reserved-range exclusions apply - RFC 1918 private, loopback, link-local, and multicast addresses do not receive the bonus.
Clamping
After adding the public IP bonus, the total is clamped to the factor's maximum (30 by default). For example, a /1 prefix (25 base) with a public IP bonus (+5) reaches exactly 30. A /0 prefix already hits the cap at 30, so no bonus is applied.