# Risk model and scoring

Risk scoring turns evidence into a normalized score and severity band. The
model is deterministic and explainable.

Core concepts
- Signals become evidence after validation.
- Evidence is normalized into factors.
- Profiles define weights, thresholds, and overrides.
- Formulas aggregate factors into scores and severity.

Signal sources (examples)
- CVSS severity and vectors (v4 supported).
- KEV flags and exploit history.
- EPSS percentiles for exploit likelihood.
- Reachability and runtime evidence.

Lifecycle
1. Job submit with tenant, profile, and findings.
2. Evidence ingestion from scanners, reachability, and VEX.
3. Normalization and dedupe by provenance hash.
4. Profile evaluation with gates and overrides.
5. Severity assignment and explainability output.
6. Export to Findings Ledger and Export Center.

Artifacts
- Profile schema: signals, weights, overrides, provenance.
- Job and result schema: score, severity, contributions.
- Explainability payloads for UI and CLI.

Determinism rules
- Stable ordering for factors and signals.
- Fixed precision math and UTC timestamps.
- Hashes and provenance recorded for every input.

Related references
- docs/risk/overview.md
- docs/risk/factors.md
- docs/risk/formulas.md
- docs/risk/profiles.md
- docs/risk/api.md
- docs/guides/epss-integration.md
- risk/overview.md
- risk/factors.md
- risk/formulas.md
- risk/profiles.md
- risk/explainability.md
- risk/api.md