# Risks Risk scoring in Veza helps identify and prioritize critical authorization issues across software environments, enabling security and governance teams to coordinate efforts on strategic focus areas. By assigning risk levels to queries that detect potentially dangerous access patterns, misconfigurations, or compliance violations, you can: * Triage identity and access issues at scale * Prioritize response efforts based on risk severity * Add risk context in Access Reviews * Track risk metrics and trends over time * Enable risk-based alerting and automation Use the **Access Intelligence** > **Risks** page to get an overview of all queries with risk levels and details about each entity flagged as a risk. Risks provide a framework for understanding and managing potential issues within your environment, based on the latest metadata in Access Graph. You can use out-of-the-box queries that detect common risks such as over-privileged access and misconfigurations, and then customize these queries or create your own for risks specific to your environment and security policies. You can enable alerts for critical risks that require immediate attention, triggering actions and notifications when changes are detected. Risk Profiles are designed to organize and prioritize different types of risks. You can document specific exceptions with notes to maintain an audit trail, and monitor risk trends over time using the Open & Resolved Risks chart on the Risks overview. ### Risk profiles and the Veza risk framework Veza organizes risks into **Risk Profiles**, categories that help you understand and prioritize different types of authorization risks. Risk Profiles provide a framework for classifying queries based on the type of risk they detect, making it easier to focus your efforts and track security posture across different risk domains. Risk Profiles also ensure consistent query organization across dashboards, surfacing common risk themes that span multiple integrations. #### Risk profile categories Veza defines eight Risk Profile categories, listed in priority order: | Risk Profile | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **MFA Health** | Detects multi-factor authentication (MFA) implementation and enforcement risks. Queries in this profile identify identities without MFA enabled, weak MFA configurations, or MFA bypass conditions. | | **Privileged Access** | Identifies excessive or unnecessarily high-impact privileges. These queries identify over-permissioned accounts, unused administrative access, and risks associated with privilege accumulation. | | **Dormant Access** | Finds inactive identities that retain access permissions. These queries identify accounts that have not been used recently but still have assigned permissions, representing unnecessary risk exposure. | | **Blast Radius** | Measures the scope of potential impact if an identity is compromised. Queries assess the potential damage that could result from unauthorized access to a specific identity or resource. | | **Orphaned Access** | Detects accounts not linked to a central identity provider or HR system. Orphaned accounts may belong to former employees or contractors, and can represent significant security risks. | | **Access Risk** | Covers known risky patterns that do not fit other categories. This catch-all profile captures authorization risks that require attention but are not classified elsewhere. | | **Identity Hygiene** | Identifies IAM best practices and configuration issues. These queries detect naming convention violations, missing metadata, expired credentials, and other identity management concerns. | | **Informational** | Contains non-risk queries used for counts and inventory purposes. These queries provide useful data but do not represent security risks requiring action. This profile is not shown on the Risks page or in the Manage Risk Details modal. | {% hint style="info" %} The Risks page Overview tab also displays an **Uncategorized** card for risk queries that have a risk level but no assigned Risk Profile. This helps identify queries that need categorization. {% endhint %} **Viewing risks by profile** The **Risks** page **Overview** tab features Risk Profile cards indicating the number of open risks in each category. Click a card to filter the **All Risks** tab by that profile and focus on specific risk domains. On the **Access Intelligence** > **Dashboards** page, you can group queries by **Risk Profile** to organize dashboard widgets by risk category rather than by section or risk level. **Assigning risk profiles to queries** You can assign or modify Risk Profiles for custom queries. By default, Veza-created queries have pre-assigned Risk Profiles that cannot be changed. The **Manage Risk Details** modal provides a unified interface for updating both risk level and risk profile in a single action. Open the Manage Risk Details modal from one of these locations: * **All Risks table**: Click the **Actions** menu (⋮) for any risk query and select **Manage Risk Details** * **Dashboard tiles**: Click a risk query tile on a Dashboard, then select **Manage Risk Details** from the actions * **Queries page**: Click the **Actions** menu for any saved query with a risk level * **Query details page**: Click **Manage Risk Details** in the query actions area Use the modal to configure either of two options: | Field | Description | | ---------------- | ----------------------------------------------------------------------- | | **Risk Level** | Select Critical, High, Medium, Low, or None to set the query's severity | | **Risk Profile** | Select a Risk Profile category to classify the risk type | Click **Save** to apply your changes. ![The Manage Risk Details modal for updating risk level and profile assignments](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-ba5154f7e48f792aed43eae1ae2a814b23ea1b18%2Frisks-manage-details.png?alt=media) **When saving a query** You can assign Risk Profiles when saving a query in Query Builder: 1. Open the query in **Query Builder** or the **Saved Query Details** view 2. Click **Edit** and then **Save** 3. In the save dialog, set a **Risk Level** (Critical, High, Medium, or Low) 4. Select a **Risk Profile** that describes the risk type 5. Click **Save** to apply {% hint style="info" %} **Veza-created query restrictions**: By default, queries created by Veza come with pre-assigned Risk Profiles that you cannot modify. When managing a Veza-created query, you can change its risk level, but the Risk Profile selection is disabled. This preserves system-defined risk categorizations while allowing you to adjust severity based on your organization's priorities. {% endhint %} ### Risk status: Open and Resolved Risks in Veza are considered "open" or "resolved" to indicate whether they require attention. A risk is resolved when you have addressed all flagged entities, either by fixing the underlying issue (so they no longer appear in results) or by marking them as exceptions (acknowledging they are acceptable). The **All Risks** tab includes a **Status** filter to show only Open or Resolved risks. By default, the Overview tab displays counts for Open risks only. * **Open**: The risk query has one or more entities in its results that are not marked as exceptions. This indicates the risk requires investigation, or entities in the results should be marked as exceptions. * **Resolved**: All entities in the query results have been marked as exceptions, OR the query returns no results. This indicates the risk is addressed and no longer applies to any entities in your environment. ### How risk scoring works Risk scores in Veza are calculated for each entity based on the number of associated risks and their risk levels. The scoring system weighs both the severity of risks and their cumulative impact using an algorithm designed to provide comparable scores across all entities in Access Graph. ![The risk score sidebar showing score breakdown and Bulk Omit option](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-095cff75b15dc1a005cdf44840698ac10778b2c4%2Frisks-score-sidebar.png?alt=media) The algorithm implements diminishing returns to prevent score inflation, and considers both: 1. The severity of the highest risk level (Critical, High, Medium, Low) 2. The total number and combination of risks affecting an entity #### Risk score calculation 1. An entity receives a base score determined by its highest risk severity: * Critical risks start at **75** * High risks start at **50** * Medium risks start at **25** * Low risks start at **10** 2. Additional risks contribute weighted points to the base score through logarithmic scaling: * The scoring algorithm uses logarithmic scaling to prevent score inflation * Each additional risk contributes less than the previous one (diminishing returns) * Lower-severity risks contribute less when higher-severity risks are present * This approach ensures scores scale better as risk counts increase while maintaining meaningful differentiation #### Risk score examples *Example 1: Single Critical Risk* An identity with 1 Critical risk receives a score of **75** (the base score for Critical risks). *Example 2: Multiple Risk Severities* An identity with 5 Critical, 7 High, 10 Medium, and 15 Low severity risks receives a score of approximately **91**. Diminishing returns prevent the score from inflating linearly; each additional critical risk contributes less than the previous one. *Example 3: Accumulating Critical Risks* An identity with 4 Critical risks receives a score of approximately **83**, showing how the score increases but with diminishing returns as more risks accumulate. *Example 4: Mixed Severity Risks* An identity with 2 High risks, 2 Medium risks, and 2 Low risks receives a score of approximately **55**. The High risks establish the base score (50), and the additional risks add points. Medium and Low risks contribute minimally when higher-severity risks are present. #### Understanding risk levels and scores It is important to understand the relationship between risk queries, scores, and risk level classifications: * **Risk Levels**: Saved queries are assigned risk levels (Critical, High, Medium, Low) * **Risk Scores**: When entities appear in risk queries, they receive a calculated score (0-100) based on the number and severity of queries they match For example, an entity that appears only in High-level risk queries can still receive a score of 75, which places it in the "Critical" risk level category for display purposes. This distinction helps surface entities that have accumulated significant risk exposure even within a single severity category. ### Using the Risks page The **Access Intelligence** > **Risks** page provides a comprehensive view of authorization risks across your environment. The page is organized into two main tabs: **Overview** and **All Risks**. #### Overview tab The Overview tab provides a high-level summary of your risk landscape: ![The Risks Overview tab showing risk distribution, Open and Resolved trends, and Risk Profile cards](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-3c4d4a0e71febd47cf99311d28aa48eef8a3bbed%2Frisks-overview.png?alt=media) * **Risks by Level**: Shows the distribution of risks across Critical, High, Medium, and Low severity levels. * **Open & Resolved Risks**: Shows Open vs. Resolved risks over time for burndown tracking. * **Risk Profiles**: Clickable cards indicating open risks in each Risk Profile category, and an **Uncategorized** card for queries without an assigned profile. Click a card to navigate to the All Risks tab filtered by that profile. * **Top 5 Affected Integrations**: Table of integrations by most active risks, helping identify which systems need the most attention. #### All Risks tab The All Risks tab displays a filterable table of all risk queries: ![The All Risks tab showing filterable risk queries with status, severity, and affected entity counts](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-1d1df53711b58f5e2fb296486cae29368ef6670f%2Frisks-all-risks.png?alt=media) **Available Filters:** * **Status**: Filter by Open or Resolved risks * **Integration Types**: Filter by specific integrations or data sources * **Risk Level**: Filter by Critical, High, Medium, or Low severity * **Risk Profiles**: Filter by Risk Profile category * **Created By**: Filter by query creator (System or specific users) * **Search**: Text search across query names **Query-level actions**: Click the Actions menu (⋮) for any risk query to access: * **Open in Query Builder**: View and modify the query definition * **Create Rule**: Create an automation rule based on this query * **Create Alert**: Set up notifications when query results change * **Manage Exceptions**: View and manage exceptions for entities flagged by this query * **Manage Risk Details**: Update the risk level and Risk Profile assignments * **Launch Access Review**: Create an access review for the entities flagged by this query ### Taking action on risks The Risks page supports a triage workflow for systematically identifying, prioritizing, and addressing authorization risks. Start on the Overview tab to understand your risk landscape, then drill down through Risk Profiles and filters to focus on specific issues. **Query-level actions** (from the All Risks table): * **Create Rule** or **Create Alert**: Set up automated notifications and [Veza Actions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/notifications) when risk conditions change * **Launch Access Review**: Create a review for stakeholders to evaluate flagged access * **Manage Exceptions**: View and manage all exceptions for a risk query * **Manage Risk Details**: Update the Risk level and Risk Profile assignments **Entity-level actions** (from the Affected Entities tab in query details): * **Open in Graph**: View the entity and its relationships in Graph view * **Mark as Exception**: Acknowledge that specific flagged access is intentional or acceptable * **Add Risk Assignee**: Assign ownership for addressing a specific risk entity * **Add Note**: Document decisions or context about a flagged entity {% hint style="info" %} For step-by-step instructions, see [Investigate risks](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks/investigate-risks). {% endhint %} ### Risk query details Risk queries can include explanatory information to help teams understand and address security issues. Many Veza-created queries include these details, and you can add them to any custom query. To view query details, click on a risk query to open the details view. The details view shows: * **Risk Explanation**: Background on why this pattern represents a risk * **Trend over Time**: Chart showing how the count of affected entities has changed * **Affected Entities**: Table of entities currently flagged by the query From the query details view, you can use the query-level actions menu to create rules, alerts, or access reviews. ![Query details view showing risk explanation, trend chart, and action options](https://1967633068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZDkWMxox3pekd0NsZJ%2Fuploads%2Fgit-blob-6f7da5525e0783a80614c09a6a9f74701aefe3cd%2Frisks-query-details.png?alt=media) #### Working with affected entities The **Affected Entities** tab in the query details view lists all entities currently flagged by the risk query. Click the Actions menu (⋮) for any entity to access entity-level actions: * **Open in Graph**: View the entity and its relationships in Graph view * **Open in Query Builder**: Open the query with this entity in context * **Mark as Exception**: Mark the entity as an exception for this risk query * **Add Risk Assignee**: Assign an owner responsible for addressing this risk * **Add Note**: Add contextual notes about this risk entity These actions let you triage individual entities within a risk query, documenting decisions and assigning ownership as you work through flagged access. ### Configuring risks #### Define risks from queries Assign risk levels (Critical, High, Medium, or Low) to saved queries to enable risk scoring. When you assign a risk level, entities that match the query receive a calculated risk score. You can also assign Risk Profiles to categorize queries by the type of issue they detect. {% hint style="info" %} For step-by-step instructions, see [Configure risk levels and profiles](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks/configure-risk-levels-and-profiles). {% endhint %} #### Manage exceptions When an entity appears in risk query results but represents intentional or acceptable access, mark it as an exception. Exceptions acknowledge that you have reviewed the flagged access and determined it does not require action. {% hint style="info" %} For step-by-step instructions, see [Manage risk exceptions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks/manage-risk-exceptions). {% endhint %} #### Use Risk Profiles on dashboards Risk Profiles can organize dashboard widgets by risk category. On the **Access Intelligence** > **Dashboards** page, use the **Group By** dropdown and select **Risk Profile** to see queries grouped by their assigned categories. ### Enable risk-based alerting Create [Alert Rules](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts) to get notifications when: 1. The number of entities with risks increases beyond a threshold 2. New Critical or High risks are detected 3. Risk scores change significantly You can configure rules to trigger Veza Actions, including: * Email notifications * Slack messages * Jira tickets * ServiceNow incidents * Custom webhooks * [On-demand Access Reviews](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/on-demand-reviews) {% hint style="info" %} **Customize alert emails**: Administrators can customize alert and risk email notifications using custom templates. Navigate to **Administration** > **System Settings** > **Custom Templates** to configure templates with placeholder tokens for alert fields. See [Customizing email templates](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/notifications/email-templates/customizing-templates#access-intelligence-templates) for details. {% endhint %} ### Remediate risky findings When queries have findings with a risk level, you can create tickets or send notifications to initiate remediation directly from the query details view or from dashboards. Remediation channels include: * Jira tickets (with optional assignee) * ServiceNow incidents * Slack messages For step-by-step instructions, see [Remediation actions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/remediation-actions). ### See also * [Investigate risks](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks/investigate-risks) * [Configure risk levels and profiles](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks/configure-risk-levels-and-profiles) * [Manage risk exceptions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/risks/manage-risk-exceptions) * [Remediation actions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/remediation-actions) * [Rules and Alerts](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts) * [Customizing email templates](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/notifications/email-templates/customizing-templates#access-intelligence-templates) * [Dashboards](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/insights/dashboards) * [Access Reviews](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews)