Understanding Residual Risk: Why Severity Labels Lie
The Severity Label Problem
Every CSPM in the market uses severity labels: LOW, MEDIUM, HIGH, CRITICAL. They're simple. They're color-coded. And they're fundamentally misleading.
Here's why: severity is assigned to the control, not to the resource. When a control says "IAM users should have MFA enabled" and assigns it HIGH severity, every single user without MFA gets that same HIGH label — regardless of context.
But context is everything.
Same Control, Different Risk
Consider this scenario. Three IAM users fail the same MFA check:
| User | Has MFA | Context | Real Risk |
|---|---|---|---|
admin_user | No | Full admin access, no deny policy | CRITICAL |
marketing_readonly | No | Read-only role, limited to S3 | LOW |
dev_user | No | Power user access, but MFA enforcement policy active | MEDIUM |
All three fail the same control. All three get labeled HIGH by traditional tools. But the actual risk ranges from genuinely critical to practically negligible.
What Is Residual Risk?
Residual risk is the actual remaining risk after considering all contextual factors:
- Permissions: What can this resource actually do?
- Configurations: Are there compensating controls in place?
- Dependencies: What does this resource connect to?
- Exposure: Is this resource internet-facing?
By analyzing these factors, we can calculate a risk score that reflects reality — not just a generic severity label.
How Vigimati Calculates Residual Risk
When a resource fails a control, Vigimati doesn't stop at the failure. It evaluates:
- Base severity — the inherent risk of the control
- Resource context — permissions, policies, and configurations
- Compensating controls — mitigations that reduce exposure
- Environmental factors — network exposure, data sensitivity
The result is a score from 0 to 10 that tells you exactly how worried you should be about each specific finding.
Why This Matters
When your CSPM shows 5,000 HIGH findings, you have no idea where to start. When Vigimati shows you that 200 of those have a residual risk above 8.0, you know exactly what to fix first.
Prioritization isn't about severity. It's about context.
Start Measuring Real Risk
Vigimati's residual risk engine is included in every plan, including the free tier. Connect your AWS account and see the difference context makes.
About
Vigimati Team
The team behind Vigimati, building context-aware cloud security compliance.