Quickstart¶
Score your first vulnerability in 60 seconds.
ORES takes a set of signals — CVSS score, EPSS probability, threat intel, asset context, patch status — and returns a single prioritized risk score with a full explanation of how it got there.
Before you begin
This guide assumes the ores CLI is installed and on your PATH. If not, head to Installation first — it takes under a minute.
Prepare your signals¶
Create a file with the vulnerability signals you want to evaluate. ORES accepts both YAML and JSON.
apiVersion: ores.dev/v1
kind: EvaluationRequest
signals:
cvss:
base_score: 9.8
vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
epss:
probability: 0.91
percentile: 0.98
threat_intel:
actively_exploited: true
ransomware_associated: false
asset:
criticality: high
network_exposure: true
data_classification: pii
patch:
patch_available: true
patch_age_days: 45
compensating_control: false
{
"apiVersion": "ores.dev/v1",
"kind": "EvaluationRequest",
"signals": {
"cvss": {
"base_score": 9.8,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"epss": {
"probability": 0.91,
"percentile": 0.98
},
"threat_intel": {
"actively_exploited": true,
"ransomware_associated": false
},
"asset": {
"criticality": "high",
"network_exposure": true,
"data_classification": "pii"
},
"patch": {
"patch_available": true,
"patch_age_days": 45,
"compensating_control": false
}
}
}
You don't need all five signals
ORES works with any subset of signals. Pass just a CVSS score and you will still get a result — the engine fills in safe defaults for anything missing and adjusts its confidence score accordingly.
Run the evaluation¶
Read the results¶
Score: 87
Label: high
Mode: weighted
Version: 0.2.0
Confidence: 0.75
Signals used: 5 / 5
FACTOR CONTRIBUTION REASONING
------ ------------ ---------
base_vulnerability 26 Base severity score from vulnerability data (high impact: 88%)
exploitability 22 Likelihood of exploitation based on threat landscape (high impact: 93%)
environmental_context 17 Environmental risk based on asset criticality and exposure (high impact: 74%)
remediation_gap 13 Remediation posture based on patch availability and compliance (moderate impact: 58%)
lateral_risk 9 Lateral movement potential based on blast radius (moderate impact: 30%)
Every result includes:
- Score
- A number from 0 - 100 representing overall prioritized risk.
- Label
- A human-readable severity tier mapped from the score.
- Factors
- A breakdown showing exactly which dimensions drove the score and why.
- Confidence
- How much signal the engine had to work with (more signals = higher confidence).
Severity tier mapping
The label field maps the numeric score to a tier:
| Score | Label | |
|---|---|---|
| 90 - 100 | critical | Critical |
| 70 - 89 | high | High |
| 40 - 69 | medium | Medium |
| 10 - 39 | low | Low |
| 0 - 9 | info | Info |
Get structured output¶
For programmatic use, switch to JSON output:
Full JSON response (click to expand)
{
"apiVersion": "ores.dev/v1",
"kind": "EvaluationResult",
"score": 87,
"label": "high",
"mode": "weighted",
"version": "0.2.0",
"explanation": {
"signals_provided": 5,
"signals_used": 5,
"signals_unknown": 0,
"unknown_signals": [],
"warnings": [],
"confidence": 0.75,
"factors": [
{
"name": "base_vulnerability",
"contribution": 26,
"derived_from": ["cvss"],
"reasoning": "Base severity score from vulnerability data (high impact: 88%)"
},
{
"name": "exploitability",
"contribution": 22,
"derived_from": ["epss", "threat_intel"],
"reasoning": "Likelihood of exploitation based on threat landscape (high impact: 93%)"
},
{
"name": "environmental_context",
"contribution": 17,
"derived_from": ["asset"],
"reasoning": "Environmental risk based on asset criticality and exposure (high impact: 74%)"
},
{
"name": "remediation_gap",
"contribution": 13,
"derived_from": ["patch"],
"reasoning": "Remediation posture based on patch availability and compliance (moderate impact: 58%)"
},
{
"name": "lateral_risk",
"contribution": 9,
"derived_from": ["defaults"],
"reasoning": "Lateral movement potential based on blast radius (moderate impact: 30%)"
}
]
}
}
Understanding derived_from
Each factor lists the signals it drew from. When a factor shows ["defaults"], it means no matching signals were provided and the engine used safe built-in defaults. Supplying more signals will increase both accuracy and the confidence score.
Embed in a Go application¶
Want to skip the CLI entirely? Use the Go library for zero-overhead, in-process scoring:
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/rigsecurity/ores/pkg/engine"
"github.com/rigsecurity/ores/pkg/score"
)
func main() {
eng := engine.New()
req := &score.EvaluationRequest{
APIVersion: "ores.dev/v1",
Kind: "EvaluationRequest",
Signals: map[string]any{
"cvss": map[string]any{
"base_score": 9.8,
},
"epss": map[string]any{
"probability": 0.91,
"percentile": 0.98,
},
"threat_intel": map[string]any{
"actively_exploited": true,
},
},
}
result, err := eng.Evaluate(context.Background(), req)
if err != nil {
fmt.Fprintln(os.Stderr, "evaluation failed:", err)
os.Exit(1)
}
enc := json.NewEncoder(os.Stdout)
enc.SetIndent("", " ")
enc.Encode(result)
}
What's next?¶
You have scored your first vulnerability. Here is where to go from here:
-
Signals Reference
Explore every signal type ORES understands — CVSS, EPSS, threat intel, asset context, and more.
-
How Scoring Works
Understand the weighted factor model, confidence calculation, and default behaviors.
-
Daemon Guide
Deploy
oresdas an HTTP service for SIEM, SOAR, and ticketing integrations. -
WASM Guide
Run ORES in the browser, at the edge, or inside sandboxed environments.
-
CLI Reference
Every flag, output format, and advanced option for the
orescommand. -
Confidence
Learn how signal completeness affects the confidence score and what it means for prioritization.