Severity Levels
Severity is the "how bad is it" axis on every finding in ShadowMap. This page is the reference card for the severity vocabulary: the canonical band names and colours, the numeric scale each module uses to derive a band, and how the platform's severity differs from vendor scores like CVSS.
Severity is independent of status (where a finding sits in its lifecycle). For how the two axes interact during triage, see Severity and Status Workflow and Status Workflow.
Overview
The Alerts list is where the severity badge is most visible — each row carries a coloured band in its Risk column. The same badge component and the same band vocabulary recur in every list, drawer, and dashboard across the product.
A severity band is a label, not a raw number. Internally most findings store a numeric risk score; the coloured badge you see is that number bucketed into a fixed band. Two findings with different raw scores can show the same band — the label describes a range, not the exact value.
Severity is assigned by the scanner from the nature of the finding. You cannot edit a finding's severity from the UI. If a high-severity finding is not a real risk in your environment, you change its status (Accepted Risk / Closed) rather than down-rating its severity — the severity stays accurate, your disposition records the decision.
The canonical bands
ShadowMap renders every severity through one shared badge component (sm-risk-badge). It recognises exactly six values, each with a fixed colour. This is the complete vocabulary:
| Band | Badge value(s) | Colour | Meaning |
|---|---|---|---|
| Critical | critical | Red (deepest) | Highest-impact exposure. Used by modules with a 5-tier ordinal scale and by vendor CVSS — see Module scales. |
| High | high | Red #CC1111 | Directly exploitable or high-impact exposure. Work first. |
| Medium | medium | Orange #F79646 | Real weakness that needs attention but is lower-impact or harder to exploit. |
| Low | low | Yellow #E5E012 | Minor hygiene issue or low-likelihood exposure. |
| Informational | info, informational | Green #00B050 | Context, not a vulnerability — surfaced for awareness, not action. |
| None | empty / unrecognised | Grey | No severity assigned, or a value the badge does not recognise. |
Why green for Informational
Informational is the lowest severity, so it gets the calmest colour. A green badge does not mean "good" or "resolved" — it means the item is low-risk context (a banner, an exposed but non-sensitive page, a brand mention with no payload). It still belongs in the data; it just should not pull your attention ahead of a red or orange badge.
How it works
The part the UI cannot show you: not every module uses the same numeric scale to derive its band. The band names are shared and the colours are shared, but the underlying score that produces them differs by module. A "High" in Alerts and a "High" in Dark Web are computed from completely different number ranges. Knowing which scale a module uses matters when you filter, sort, or reconcile a count.
There are four scale families in the product: the core Alerts 0–10 risk scale, the CVSS vendor scale, the per-module ordinal scales used across Data Leaks, and the Dark Web 0–100 relevance scale.
1. The Alerts 0–10 scale (no Critical)
The core scanner findings — Alerts, Open Ports, Vulnerability Overview, SSL Issues, Web Application checks, App Misconfigurations and the other technical modules — store a numeric risk from roughly 0 to 10+ and bucket it with fixed, platform-wide thresholds:
| Numeric score | Band |
|---|---|
>= 8 | High |
>= 5 and < 8 | Medium |
>= 2 and < 5 | Low |
< 2 | Informational |
There are no per-customer or per-module cutoffs on this scale — the thresholds are constant everywhere. The same thresholds are applied on the backend (Risk::getRiskText) and re-derived defensively on the frontend, so the badge is identical no matter which surface (list row, detail drawer, detail page) renders it.
This scale tops out at High — it has no Critical tier. If you are looking for a five-band scale in Alerts, there isn't one; the most severe technical finding is "High."
2. The CVSS scale (vendor score, includes Critical)
CVE-driven views (Vulnerabilities, CVE Feeds, Vulnerability Overview) carry the standard CVSS base severity from the upstream feed (NVD), which is its own four-band scale:
| CVSS band | Typical CVSS base score |
|---|---|
| Critical | 9.0–10.0 |
| High | 7.0–8.9 |
| Medium | 4.0–6.9 |
| Low | 0.1–3.9 |
This is a vendor score, not the ShadowMap risk band. It describes the inherent severity of the vulnerability in the abstract — independent of whether the vulnerable asset is actually yours, internet-facing, or exploited in the wild. When a finding has both, ShadowMap shows the CVSS severity alongside the finding rather than overwriting the scanner's own band. Use the CVSS Critical/High filter on the CVE pages to slice by the vendor score.
Critical in CVSS ≠ Critical in your environment
A CVSS-Critical CVE on an asset that is offline, internal-only, or already patched is not the same as a live Critical exposure. ShadowMap layers exploitation context on top — see KEV Compliance (known-exploited) and Ransomware association — so you can find the CVSS-Critical CVEs that are also being exploited, which is the set worth dropping everything for.
3. The ordinal 0–5 scale (Data Leaks, includes Critical)
Some Data Leaks modules — notably S3 Buckets — store severity as a small ordinal integer rather than a 0–10 risk. The S3 scale runs:
| Value | Label |
|---|---|
0 | NA |
1 | Informative |
2 | Low |
3 | Medium |
4 | High |
5 | Critical |
Phishing URLs and Domain Squatting likewise expose a five-band scale that includes Critical — a confirmed credential-harvesting phishing page or a weaponised lookalike domain can rate Critical, where a generic technical Alert cannot. Other Data Leaks modules (Docker Containers, Leaked APIs, Data Breaches) use a simpler High / Medium / Low band with no Critical and no Informational.
Code Repositories uses its own numeric scale, banded as: >= 500 High, 100–499 Medium, 1–99 Low, 0 Informational. The 0 → Informational split is deliberate — the vast majority of keyword-matched repos score exactly 0 (no secrets, no ownership signal), so labelling them Informational separates pure noise from genuine Low findings.
4. The Dark Web 0–100 relevance scale
Dark Web sources — Discussions (forums) and Telegram — surface a relevance score rather than the scanner risk band. The score is a 0–100 number shown in a dedicated Relevance column, and it is banded into tiers:
| Relevance score | Tier |
|---|---|
>= 80 | Critical |
60–79 | High |
40–59 | Medium |
< 40 | Low |
The exact numeric value is shown in the badge (e.g. 73) so you can differentiate items within the same tier. Unlike the Alerts scale, this one does have a Critical tier — a forum or Telegram post carries far more contextual signal than a single technical check, so the top of the range is reserved for the highest-relevance hits.
Relevance is not the same number as risk
The Dark Web Relevance score (0–100) and the Alerts risk score (0–10) are different measures on different ranges — a 73 relevance and a 7.3 risk have nothing to do with each other. Always read the tier / band, never the raw number, when comparing findings from different modules, and confirm which scale a module uses before reconciling counts.
Severity vs status
Severity and status are two separate axes and never override each other:
- Severity = how bad the finding is (this page). Set by the scanner from the finding's nature. Read-only in the UI.
- Status = where the finding sits in its lifecycle (scanner-detected vs. analyst-dispositioned). Set partly automatically, partly by you.
A Critical finding can be in any status, and a finding you've Accepted can still be High severity. Demoting a finding you don't care about is a status action (Accepted Risk / Closed), not a severity change. See Status Workflow and Severity and Status Workflow for the full model.
Filtering and sorting by severity
Every list that shows a severity badge lets you narrow to a band. Two mechanisms:
- Severity filter / facet. Most modules offer a Severity dropdown or facet in the filter bar — tick the bands you want (e.g. High + Medium) and the list scopes to them. CVE pages use a dedicated Severity (CVSS) facet with Critical / High / Medium / Low.
- Severity drill-down from dashboards. Overview and dashboard "severity breakdown" cards are clickable — selecting a band lands you on the target module's list already filtered to that band.
Because the underlying risk column casing and type differ per module (some store an int, some a lowercase string, some Title-Case), the platform normalises the filter value to whatever that module stores. You don't need to know the storage format — pick the band in the UI and the correct query is built for you.
To sort a list highest-severity-first, sort on the Risk / Severity column; the band order is Critical → High → Medium → Low → Informational.
Common questions
Why doesn't Alerts have a Critical severity? The core technical-scanner scale (Alerts, Open Ports, Vulnerability Overview, SSL, Web Apps, App Misconfigurations) tops out at High by design — it's a four-band 0–10 scale. Critical appears only where a richer scale is warranted: CVSS vendor scores, S3 Buckets, Phishing, and Domain Squatting. If you want to surface the most urgent technical work, filter to High and layer in exploitation context (KEV, ransomware association) rather than looking for a Critical tier that doesn't exist in that module.
The CVE says Critical but the Alert says High — which is right? Both, for different questions. The Critical is the CVSS base severity — the vulnerability's inherent severity in the abstract. The High is ShadowMap's own band for that finding in your environment. They measure different things and are shown side by side on purpose. Prioritise CVSS-Critical CVEs that are also known-exploited or ransomware-associated.
Can I change a finding's severity? No. Severity is scanner-assigned and read-only. If a finding is over- or under-rated for your environment, disposition it via status (Accepted Risk / Closed) — that records your decision without distorting the severity, which other surfaces and reports rely on being consistent.
Two findings show the same band but I want the worse one — how? The band is a range, so within a band you can't tell which is "worse" from the badge alone. Sort by the Risk / Severity column to order by the raw underlying score within the band, or open the detail view to see the contributing signals.
Why is something green / Informational still in my list? Informational means low-risk context, not "resolved." It's intentionally surfaced for awareness (e.g. an exposed-but-harmless page, a brand mention with no payload). Filter it out of your working view if you only want actionable findings — it isn't noise to be deleted, just the lowest priority.
Does severity affect SLAs? Yes. SLA policies are typically keyed on severity band — higher bands get shorter remediation windows. The band, not the raw score, is what the SLA clock reads.
Related
- Severity and Status Workflow — the narrative model: how severity and the scanner/analyst status axes interact during triage.
- Status Workflow — the status axis (New / Open / Closed, Needs Review / Investigating / Accepted Risk / Closed) that complements severity.
- Alerts — the module where the severity badge is most prominent.
- Vulnerability Overview and CVE Feeds — where CVSS severity (including Critical) is used.
- KEV Compliance and Ransomware — exploitation context that turns a CVSS-Critical CVE into a real priority.
- SLA Policies — how severity bands drive remediation deadlines.
- Glossary — definitions of risk, severity, and related terms.