| Check | Category | Severity | ATT&CK | Action |
|---|
| Check Name | Category | Severity | Result | Last Seen | First Seen | Trend | Actions |
|---|---|---|---|---|---|---|---|
| CVE | CVSS | Severity | EPSS | KEV | Affected Checks | First Seen | Last Seen | Description | |
|---|---|---|---|---|---|---|---|---|---|
| Check | Category | Severity | ATT&CK | Action |
|---|
| Check Name | Category | Severity | Result | Last Seen | First Seen | Trend | Actions |
|---|---|---|---|---|---|---|---|
| CVE | CVSS | Severity | EPSS | KEV | Affected Checks | First Seen | Last Seen | Description | |
|---|---|---|---|---|---|---|---|---|---|
—
How WinSecAudit calculates scores, classifies risk, and integrates external threat intelligence. Every metric you see in the dashboard derives from these formulas applied to real scan data — no estimates, no synthesised numbers.
Each check carries a numeric weight reflecting its security impact. The score is computed as:
score = (Σ earned_weight ÷ Σ max_weight) × 100
SKIPPED checks are excluded from both numerator and denominator so an inapplicable control (e.g. BitLocker on a machine without a TPM) never penalises the score. ERROR results count toward the denominator (we couldn't verify) but contribute zero to the numerator.
The numeric score maps to an A–F band:
The Exploit Prediction Scoring System assigns each CVE a probability (0.0–1.0) of being exploited in the wild within the next 30 days. Higher EPSS = greater real-world exploitation pressure. Bands shown in the EPSS distribution chart:
Critical ≥ 0.90 · High ≥ 0.70 · Medium ≥ 0.30 · Low < 0.30
EPSS is fetched from api.first.org for every failed-check CVE, cached locally for 7 days.
The CISA Known Exploited Vulnerabilities catalogue lists CVEs confirmed to be actively exploited in real attacks. Any CVE present in the catalogue is flagged with the KEV badge throughout the dashboard. The full ~1,500-entry catalogue is downloaded once per 24 hours from cisa.gov and stored at data/cisa_kev_cache.json.
Every check declares a mitre_technique identifier (e.g. T1548.002 for UAC). The matrix groups failures by tactic (Recon → Impact) and observation tier:
Detected (FAIL) · Potential (ERROR/SKIPPED) · Not Observed (PASS)
Click any cell to see the full list of underlying checks mapped to that tactic.
Drift compares two scans by joining their results on check_name. SQLite has no FULL OUTER JOIN, so we emulate it via two LEFT JOINs + UNION ALL. Each check is then bucketed:
PASS → FAIL = Regression | FAIL → PASS = Improvement | Same status = Stable
The "score impact" column is severity-weighted: CRITICAL ±25 pts, HIGH ±20, MEDIUM ±15, LOW ±10.
A check is remediable when its plugin defines both remediation_supported = True and a non-empty remediation_cmd (PowerShell / netsh / reg). The dashboard auto-derives manual step-by-step instructions from the command type — registry edits walk the user through regedit; service operations open services.msc; etc.
Per-check stability across history is determined by analysing transitions between PASS and FAIL across the last N executions:
stable · improving · degrading · flapping
"Flapping" means ≥40% of executions changed status — usually indicates a misconfigured remediation or external interference.
Choose a profile and start the scan. The audit runs locally on this endpoint and the dashboard refreshes when finished.