Port Exposure
The Port Exposure factor measures how many ports are open and how risky the exposed services are. Wide port ranges receive high scores regardless of service type, while single-port rules are scored based on the known risk level of that service.
Default max contribution: 25 points.
Scoring table
Port ranges
| Port Configuration | Points | Notes |
|---|---|---|
| All ports (1-65535) or "any" | 25 (max) | Full exposure |
| > 1,000 ports | 22 | Large range |
| 101 - 1,000 ports | 18 | Moderate range |
| 11 - 100 ports | 12 | Small range |
| 2 - 10 ports | 8 + risk bump | See risk bump below |
Single ports
| Service Risk Level | Points | Examples |
|---|---|---|
| CRITICAL | 18 | Telnet (23), Redis (6379) |
| HIGH | 15 | FTP (21), RDP (3389), SMB (445) |
| MEDIUM | 10 | SSH (22), DNS (53) |
| LOW | 0 | HTTPS (443) |
| Unknown | 3 | No known service match |
ICMP
When the protocol is ICMP, no port applies. The Port Exposure factor is omitted entirely from the score calculation - the remaining three factors are used and the score still scales to 100.
Risk bump for small ranges (2 - 10 ports)
When a flow specifies 2 to 10 ports, the base score of 8 is increased by a risk bump based on the highest-risk port in the range:
| Highest Port Risk | Bump |
|---|---|
| CRITICAL | +5 (total 13) |
| HIGH | +4 (total 12) |
| MEDIUM | +2 (total 10) |
| LOW or unknown | +0 (total 8) |
For example, a rule allowing ports 22,443 (SSH is MEDIUM, HTTPS is LOW) gets 8 + 2 = 10 points because SSH is the highest-risk port in the set.