Platform · Risk Scoring

One score for every certificate’s risk.

By Updated

MachineCert scores every certificate from 0 to 100 using expiry, cryptographic strength, exposure, chain health, and ownership — so your team always knows what to fix first.

Scan your domain Book a demo
0–100 scorePrioritized queueTrackable posture
risk scoring · acme-corp2 critical
12legacy.acme.comrisk scoreSHA-1
28shadow.acme.iorisk scoreunowned
58api.example.comrisk scoreexpiring
91*.stripe.comrisk scorehealthy
86auth.acme.comrisk scorehealthy
The problem

Millions of certs,
no sense of priority.

Visibility without prioritization just moves the problem. Teams need to know which certificates actually matter — right now.

Flat inventories

A list of millions of certs with no priority is just noise.

Alert fatigue

Everything-is-urgent alerting trains teams to ignore alerts.

Hidden weak spots

SHA-1, short keys, and exposed certs blend into the crowd.

No measurable posture

Without a score, you can’t track whether risk is improving.

How it works

From raw signals to
a single number.

1
Collect signals

Gather expiry, crypto, exposure, chain, and ownership data.

2
Weight & score

Combine signals into a single 0–100 risk score per cert.

3
Rank

Sort the entire estate so the riskiest certs surface first.

4
Route & track

Send to owners and trend the score over time.

The risk engine

Many signals,
one risk score.

Inputs
Expirydays remaining
Crypto strengthalgorithm · key size
Exposurepublic vs internal
Ownershipowned vs orphaned
Risk 0–100weighted & ranked
Drives
Prioritized alertsworst first
Remediationrotate · renew
Posture trendtrack over time
Scoring legend

Every certificate
ranked from 0 to 100.

95–100
Healthy
75–94
Review
50–74
Elevated risk
0–49
Immediate action
What you see

Risk prioritization dashboard.

risk · prioritized · acme-corpsorted · highest risk first
ScoreCertificateTierWhy
12vpn.corp.localImmediateexpires 7d · RSA-1024
38legacy.acme.ioImmediateexpires 14d · unowned
71api.example.comElevatedexpires 30d · SAN mismatch
84cdn.acme-corp.comReviewexpires 90d · chain ok
96*.stripe.comHealthyexpires 365d · auto-renew
Outcomes

Turn an inventory into
an action plan.

Fix what matters first

The riskiest certificates rise to the top automatically.

End alert fatigue

Signal over noise — only meaningful risk gets attention.

Catch weak crypto

SHA-1 and short keys score low and surface fast.

Measure posture

Track risk trending down across teams over time.

Context-aware

Exposure and blast radius factor into every score.

Board-ready metrics

One number leadership can actually track.

FAQ

Risk scoring,
answered.

MachineCert combines multiple weighted signals — how soon the certificate expires, its cryptographic strength (algorithm and key size), its exposure (public vs internal), chain and revocation health, and whether it has a known owner — into a single 0–100 score.
A low score indicates higher risk — for example a publicly exposed certificate using weak crypto that expires soon and has no owner. These rise to the top of the queue for immediate attention.
A flat list of millions of certificates gives no sense of priority. Risk scoring ranks them so teams fix the certificates that actually threaten security or availability first, instead of guessing.
Yes. A weak certificate on a public, internet-facing service is far riskier than the same certificate on an isolated internal system, and the score reflects that.
Instead of alerting on everything equally, MachineCert escalates by risk — so the highest-impact issues get attention and routine items don’t drown them out.
Yes. Risk scores are trended per team and across the organization, so you can demonstrate that certificate posture is measurably improving.
The score drives action: high-risk certificates can be routed to owners, escalated, or automatically remediated through renewal and rotation.
A single, consistent risk metric gives security leaders and auditors a clear, trackable measure of certificate posture — far more useful than raw counts.
Explore the platform

Related capabilities

Certificate discoveryBuild the inventory to score.Machine Trust GraphAdd blast radius to risk.InventorySearch the scored estate.Trust monitoringChain, revocation, weak crypto.For security teamsRisk before it’s an incident.Renewal automationRemediate the riskiest certs.
Get started

See your riskiest certificates first.

Run a free domain scan and get a risk-scored, prioritized view of every certificate you own.

Book a demo