Every Panguard Scan produces a single risk score from 0 to 100 and an associated letter grade from A to F. This page explains how the score is calculated and what each grade means.
Score Display
Score: 62/100 [████████████░░░░░░░░] Grade: C
Grade Thresholds
| Grade | Score Range | Interpretation |
|---|
| A | 90 — 100 | Excellent. Minimal risk. All critical and high issues resolved. |
| B | 75 — 89 | Good. A few medium-severity items remain. |
| C | 60 — 74 | Fair. Multiple findings need attention. |
| D | 40 — 59 | Poor. Significant security gaps present. |
| F | 0 — 39 | Critical. Immediate remediation required. |
Scoring Factors
The risk score is derived from the severity and quantity of findings across all scanners. Each finding contributes penalty points based on its severity:
| Severity | Points per Finding |
|---|
| CRITICAL | 25 |
| HIGH | 15 |
| MEDIUM | 5 |
| LOW | 1 |
| INFO | 0 |
Deduplication
When multiple findings share the same ID (e.g., the same rule triggered on different inputs), only the highest-severity instance is counted. This prevents score inflation from duplicate detections.
Context Multiplier
The raw score is adjusted by a context multiplier that reflects environmental signals:
| Multiplier | Meaning | Effect |
|---|
| > 1.0 | Malicious context signals present | Increases risk score |
| 1.0 | Neutral (default) | No adjustment |
| < 1.0 | Legitimate context signals present | Reduces risk score |
min(100, round(rawScore * contextMultiplier)).
Example Calculation
| Finding | Severity | Points |
|---|
| SSH on 0.0.0.0 | HIGH | 15 |
| Weak password policy | MEDIUM | 5 |
| Expired SSL cert | CRITICAL | 25 |
| No firewall | HIGH | 15 |
| Outdated kernel (CVE) | MEDIUM | 5 |
| Total | 65 |
Risk Level Overrides
The presence of a CRITICAL finding forces at least a HIGH risk level, regardless of the numeric score. If the context multiplier is very low (< 0.6), the override is weakened to MEDIUM instead of HIGH.
Score Categories
Beyond the single number, the score is contextualized across 8 categories:
| Category | What It Measures |
|---|
| System | OS patch level, kernel version, architecture |
| Network | Open ports, binding addresses, firewall status |
| Authentication | Password policy strength, account lockout |
| Encryption | SSL/TLS certificates, cipher suites, key strength |
| Access Control | Shared folders, file permissions, anonymous access |
| Services | Running services, unnecessary daemons |
| Scheduled Tasks | Cron jobs, suspicious scripts, persistence vectors |
| Security Tools | Presence of AV, IDS, firewall, audit daemon |
Improving Your Score
Fix CRITICAL findings first
Each critical finding costs 25 points. Resolving just one can move your grade up a full letter.
Address HIGH findings
High-severity items are the next priority at 15 points each.
Review MEDIUM findings
These are typically configuration improvements that accumulate.
Re-scan to verify
Run panguard scan again after making changes to confirm your new score.
Run panguard scan --json to get machine-readable output that includes per-finding scores, making
it easy to integrate into CI/CD pipelines.
