Highly-Exploitable CVE Density and Vulnerable Endpoint Percentage

Evaluate your company's exposure to CVEs and how you compare to global averages.

To better assist you in determining and responding to your company's vulnerabilities, Trend Micro designed certain metrics to complement each other for greater clarity.

The Highly-Exploitable CVE Density and Vulnerable Endpoint Percentage work together to help you tailor your response to vulnerable endpoint threats.

Metric

Description

Example

Highly-Exploitable CVE Density

Calculated from the total number of detected highly-exploitable CVEs divided by the total number of endpoints with Vulnerability Detection enabled (Total highly-exploitable CVEs / Total endpoints with Vulnerability Detection)

Highly-Exploitable CVE Density calculations occur daily. Weekly and monthly averages use a simple average calculation based off the daily values.

Total endpoint count: 3

  • Endpoint 1: 2 CVEs

  • Endpoint 2: 4 CVEs

  • Endpoint 3: 0 CVEs

Highly-exploitable CVE density (Total highly-exploitable CVEs / Total endpoints with Vulnerability Detection):

(2+4+0) / 3 = 2.0

Vulnerable Endpoint Percentage

Calculated from the total number of endpoints with detected highly-exploitable CVEs divided by the total number of endpoints with Vulnerability Detection enabled (Total endpoints with vulnerabilities / Total endpoints with Vulnerability Detection * 100).

Vulnerable Endpoint Percentage calculations occur daily. Weekly and monthly averages use a simple average calculation based off the daily values.

  • Total number of endpoints with detected highly-exploitable CVEs: 5

  • Total Vulnerability Detection-enabled endpoints: 25

Vulnerable Endpoint Percentage (Total endpoints with vulnerabilities / Total endpoints with Vulnerability Detection * 100):

5 / 25 * 100 = 20%

Important:
  • CVE counts only include Highly-Exploitable CVEs based on global exploit activity and Trend Micro threat expert evaluations.

  • CVE counts include all Highly-Exploitable CVEs regardless of patch availability.

  • Only supported on Windows desktop platforms starting from Windows 10.

Table 1. Example Scenario

Company A

Company B

  • CVE Density: 10.2

  • Vulnerable Endpoint Percentage: 5%

  • CVE Density: 10.2

  • Vulnerable Endpoint Percentage: 40%

Even though the CVE Density values for both companies are the same (10.2), the risk profiles are very different.

  • Company A has a small number of endpoints (5%) with a large number of critical CVEs, which could indicate that the company regularly applies patches and only a limited subset of endpoints have not yet received the latest update.

  • Company B has a large number of endpoints (20%) with a large number of CVEs, which could indicate that the company has a delayed policy in patching endpoints, possibly due to internal testing requirements.

Examining both metrics can help a company determine the best method to reduce the CVE vulnerability.