The CSPM score is a risk indicator aggregating findings from vulnerability scanning of your cloud accounts.  This score helps you understand the current security posture and improve the overall security posture of the cloud accounts over time.

The Aqua CSPM Score is a letter grade between “A” and “F” that represents the overall security risk of a cloud account. The CSPM score is used in scan and compliance reports.

CSPM score calculation

The CSPM score is calculated by aggregating security findings discovered by vulnerability scanning of the cloud account in the following manners:


These risks are identified by assessing the cloud resources against default and custom compliance standards. Each compliance program is divided into controls which are in turn mapped to Aqua CSPM plugins. Each control will then report the plugin counts with the corresponding aggregated statuses: PASSWARNFAIL, or UNKW for unknown results.

CSPM score (in %)= (Number of passing results/Total number of results) * 100


As the scan results are being processed, the severity of each risk is used to affect the final score.  The severity of the risk will affect the computed score.  The idea behind this is that if there are a lot of low-severity FAIL risks that they will not skew the score as much as risks with a higher severity.  The weights are currently fixed.

CSPM score (in %) = 100 * (

                    (40 % * (Number of passing critical results   / Total number of critical results))

                + (30 % * (Number of passing high results        / Total number of high results))

                + (20 % * (Number of passing medium results / Total number of medium results))

                + (10 % * (Number of passing low results           / Total number of low results)) )

The method for calculating the score can be configured in the Aqua console, by navigating to Account Management > Settings > Security > Compliance Grade Calculation Type. 

The calculated numerical score is between 0 and 100 and then is mapped to a letter grade using the table below.

GradeScore Range
FBelow 60

Factors lowering the CSPM score

The CSPM score starts with a score of 100, which is reduced for each risk factor discovered. The following are factors that reduce the image score:

  • Risks identified from storage buckets exposed publicly 
  • Risks identified from compute and database resources with unintended public access 
  • Risks identified from improper settings by the use of encryption in transit and at rest across cloud services
  • Risks identified from changes to critical resources such as firewall rules, logging groups, or account settings
  • Risks identified from activity in unused or unexpected cloud provider regions or locations
  • Risks identified from user policy definitions to ensure least-privileged access to resources
  • Risks identified from misconfiguration of the cloud platform