Version 6.3 · VECTORS seven-dimension composite · Updated May 15, 2026
A defensible, outside-in measurement of the daily condition of the digital ecosystem, derived entirely from public, authoritative, machine-readable sources. Not a company-specific internal risk score.
The Internet Cyber Health Index (ICHI) aggregates signals across seven dimensions of cyber threat activity into a single 0–100 composite score updated continuously as data arrives. It answers the question an executive would actually ask: how bad is it out there today, and what should I do differently?
The index is deliberately outside-in. It does not measure your organization's posture — it measures the condition of the broader Internet ecosystem your organization depends on: the vulnerabilities being weaponized right now, the infrastructure failing, the adversary machinery in motion, and the software supply chain you import from.
ICHI now uses the VECTORS model as its headline scoring base. VECTORS evaluates seven observable pressure areas across the digital ecosystem: Vulnerability Pressure, Exploitation, C2 / Malware Infrastructure, Threat Actors, Outages, Ransomware, and Supply Chain.
The previous production model, TVIEWS, was a broader six-dimension composite covering Threat Activity, Vulnerability Pressure, Operational Impact, Exposure Surface, Weaponization, and Systemic Stress. VECTORS is intended to be more operational, more explainable, and more directly tied to external cyber telemetry — each VECTORS dimension corresponds to a specific class of public, observable feed rather than to a conceptual category that mixes several feeds together.
TVIEWS remains referenced in this document only as the previous/original model, for visitors comparing the current ICHI scoring to earlier published values. It is no longer the active scoring model.
How to read the score. ICHI is a directional signal, not a forecast precise to a single integer. The severity band (NORMAL · GUARDED · ELEVATED · HIGH · CRITICAL) is the operative read; the integer score is published as a courtesy. Treat moves within a band as noise; treat band crossings as meaningful. The seven dimension weights are expert-prior estimates from the operator, not empirically backtested against historical events. A weight-calibration revision against named events (Shai-Hulud, CrowdStrike outage, MOVEit, xz-utils, LastPass) is planned but not yet shipped.
Top Cyber Event is explanatory. Each day ICHI surfaces a dominant observed condition — a ransomware spike, a KEV mass-exploitation wave, a supply-chain compromise, an outage cluster, a data-quality event, or remediation pressure. The Top Event card explains what is driving today's number. The Top Event does not add points to the composite. The headline integer comes from the weighted VECTORS sum plus two meta-condition uplifts (VID and Remediation Pressure) which measure things VECTORS does not capture.
Scoring policy. ICHI uses VECTORS as the headline scoring base. Limited meta-condition adjustments may be applied only for ecosystem-level conditions not directly represented as a VECTORS dimension, such as Vulnerability Intelligence Degradation or Remediation Pressure. Top Event is explanatory only and does not alter the score. Dimension signals (V, E, C, T, O, R, S) are not uplifted twice — if a condition already maps cleanly to a VECTORS dimension, that dimension carries the weight on its own.
Methodology revision · r63 · 2026-05-15. Renamed Patch Window Pressure to Remediation Pressure to reflect the broader operational pressure on defenders. Remediation is broader than patching alone — it includes vendor mitigations and workarounds, compensating controls, WAF / Akamai / firewall rules, disabling exposed services, configuration changes, segmentation and exposure reduction, identity-control changes, credential rotation, EDR detections and blocking, threat hunting, and incident containment. The scoring math is unchanged in r63; the existing proxies (fresh critical CVEs, KEV velocity, network-reachable bug volume, Patch Tuesday window) remain as indicators of defender action burden. The model rebuild — adding EPSS pressure, exploit references, ransomware relevance, and vendor mitigation advisories as direct inputs — is planned for a later release.
Methodology revision · r59 · 2026-05-15. Removed the Top Cyber Event composite uplift and the standalone supply-chain uplift — both double-counted signals already captured by the VECTORS dimensions, and the Top Event card is now explanatory only. Retained the VID (data-quality) and Remediation Pressure uplifts because they measure conditions outside VECTORS. Renamed the AI-Accelerated N-Day Weaponization condition to Patch Window Pressure in r59 (and then to Remediation Pressure in r63) to match what its proxies actually measure (calendar position, fresh CVE volume, KEV velocity — not AI activity itself). Promoted the severity band over the integer score in the hero UI to reduce precision overclaiming.
Methodology revision · r46 · 2026-05-13. The index moved from the six-dimension TVIEWS model to the seven-dimension VECTORS model. The old Weaponization Pressure dimension was split into C2 / Malware Infrastructure and Threat Actors — those signals had always been conceptually distinct. The old Systemic Stress dimension, which mixed cloud/CDN outages with concentration risk, was retired in favor of Supply Chain (pressure on the software trust graph) — concentration risk moved into Outages. Ransomware was promoted from a sub-signal under the old Threat dimension to its own dimension, since it is the consequence layer most operators track separately. Expect 5–15 points of movement on the composite for the same world-state vs. r45.
Seven dimensions, each scored 0–100, combined into a weighted composite. The letter abbreviation spells VECTORS.
| Dim | Name | Weight | What it measures | Primary signals |
|---|---|---|---|---|
| V | Vulnerability Pressure | 18% | Vulnerability pipeline: critical and high CVEs published today, KEV additions over 7 days, KEV-ransomware overlap, vendor advisory pulse across 17 vendors. | NVD JSON 2.0, CISA KEV, 17-vendor advisory aggregate |
| E | Exploitation | 17% | The live weaponization signal — EPSS top-10 concentration above 0.9, CVEs with confirmed public exploit references, and KEV catalog burn rate. | FIRST.org EPSS, NVD reference exploit detection, CISA KEV |
| C | C2 / Malware Infrastructure | 13% | The attacker-machinery layer: active C2 footprint, C2 growth velocity over 24 hours, mass-scanning intensity at the top-port level. | abuse.ch Feodo Tracker, SANS DShield top records |
| T | Threat Actors | 12% | Who is operating — distinct named adversaries mentioned in threat-intel feeds (90-day window) and reporting velocity. | 13 threat-intel feeds: Mandiant, CrowdStrike, Microsoft Threat, Talos, Kaspersky, SentinelLabs, Unit 42, Check Point, DFIR Report, ESET, BleepingComputer, DarkReading, The Record |
| O | Outages / Operational Impact | 15% | What disruption is already visible: vendor statuspage outages, SEC 8-K Item 1.05 disclosures over 30 days, CISA infrastructure advisories, and a binary tier-1 concentration-risk indicator. | 55 vendor statuspages (3 tiers), SEC EDGAR Item 1.05, CISA ICS · Joint · OFAC |
| R | Ransomware | 13% | Ransomware operations layer — victim posts in the last 24 hours and 7 days from ransomware leak sites, plus CISA's KEV ransomware-tagged adds over 7 days. | ransomware.live, CISA KEV (ransomware-tagged) |
| S | Supply Chain | 12% | Pressure on the software trust graph: classification level from /api/supply-chain (CRITICAL/MAJOR/ELEVATED/NOMINAL), plus advisory volume across five ecosystem feeds. The S dimension stands on its own in the composite — there is no separate supply-chain uplift on top (removed in r59 because it double-counted the S signal). |
GitHub Advisory DB, OSV.dev, PyPI Security, npm Security, Sigstore/SLSA, CISA Cybersecurity Advisories |
Each dimension is scored 0–100 using logarithmic (ln) and square-root (rt) transforms to prevent single signals from dominating. The composite is a fixed weighted sum, plus two meta-condition uplifts that measure things VECTORS does not capture:
Logarithmic scaling compresses extreme values: a day with 1,000 C2 servers doesn't score 10× a day with 100. Square-root scaling is used where moderate growth is more meaningful than extreme concentration.
Note on precision and calibration. ICHI is a directional signal, not a forecast precise to a single point. The integer score is published as a courtesy; the severity band is the operative read. The seven dimension weights are expert-prior estimates from the operator, not empirically backtested against historical events. Treat moves within a band (e.g. 42 → 47, both GUARDED) as noise; treat band crossings as meaningful. Future revisions may publish a backtested weight calibration against named events (Shai-Hulud, CrowdStrike outage, MOVEit, xz-utils, LastPass); until then, the weights should be read as a defensible starting point, not a settled measurement.
| 0–24 · NORMAL | Background threat activity within normal parameters. Standard operations tempo is appropriate. | Standard monitoring. Routine patch cadence. |
| 25–49 · GUARDED | Above-baseline signals in one or more dimensions. Increased attacker activity, vulnerability pressure, or infrastructure stress. | Increase awareness. Review new advisories. Confirm KEV patch status. |
| 50–69 · ELEVATED | Significant threat convergence across multiple dimensions — active exploitation, infrastructure stress, and adversary tooling coinciding. | Prioritize KEV coverage. Review external exposure. Increase third-party monitoring. |
| 70–84 · HIGH | High-severity signals across multiple dimensions. Active campaign pressure correlates with this band. | Activate heightened cyber posture. Executive reporting. Validate IR readiness. |
| 85–100 · CRITICAL | Systemic cyber stress. Historically rare; correlates with active campaigns, major infrastructure events, or mass exploitation. | Emergency response posture. Executive notification. Consider isolation of highest-risk systems. |
Each day ICHI identifies the dominant observed condition — a supply-chain compromise, a KEV mass-exploitation wave, a ransomware leak-site spike, a cluster of Tier-1 vendor outages, a Vulnerability Intelligence Degradation event, or Remediation Pressure. This is the "Top Cyber Event" surfaced on the dashboard. The Top Event does not add points to the composite score. It is an explanatory narrative layer that points at which VECTORS dimension(s) the dominant condition is showing up in, so readers can audit how the day's score relates to the day's news.
Why no uplift. Earlier revisions (r48–r58) added an additive uplift to the composite when a Top Event was active — CRITICAL +20, MAJOR +13, ELEVATED +6. In r59 the uplift was removed because the underlying signal was already being counted in the VECTORS dimensions (a ransomware spike raises the R dimension; an outage cluster raises O; etc.), and adding a separate uplift double-counted the same event. The Top Event card still selects today's dominant condition and explains it in full narrative form, but the headline integer comes only from the weighted VECTORS sum plus the two meta-condition uplifts described below (VID and Remediation Pressure), which measure conditions VECTORS does not capture. The running archive of daily Top Events remains available at /events.html.
Vulnerability Intelligence Degradation (VID) measures whether public vulnerability data is complete, timely, and actionable. ICHI raises the score when CVEs are missing enrichment, KEV records change materially, ransomware-use indicators flip, or exploitation signals appear before public vulnerability context is complete. The intuition: defenders depend on timely public data — CVSS scores to triage, CWE classifications to scope, CPE configurations to identify affected stacks, and KEV indicators to prioritize patching. When that pipeline is degraded, organizations make patch decisions on incomplete information. The index reflects that uncertainty as a real risk, even when the underlying vulnerabilities are not new.
| VID level | Uplift | Triggers |
| NORMAL | +0 | Baseline. Enrichment current, no material KEV deltas, no ransomware-use flips. |
| ELEVATED | +2 | ≥30% of recent CVEs lack CVSS; or ≥40% in NVD "Awaiting Analysis"; or net new KEV adds since yesterday; or any KEV ransomware-use flip; or any KEV-listed CVE still missing NVD enrichment. |
| HIGH | +4 | ≥50% of recent CVEs lack CVSS; or ≥60% awaiting analysis; or 5+ net new KEV adds in 24h; or 3+ ransomware-use flips; or 3+ KEV-listed CVEs still un-enriched. |
| SEVERE | +6 | ≥70% of recent CVEs lack CVSS; or ≥80% awaiting analysis. Indicates the public enrichment pipeline is effectively stalled across the trailing week. |
The five trigger conditions ICHI watches: (1) NVD enrichment gap — recent CVEs missing CVSS, CPE, or CWE data; (2) NVD backlog — meaningful fraction of CVEs in "Awaiting Analysis" status past normal turnaround; (3) CISA KEV delta — new entries added since yesterday's snapshot; (4) KEV ransomware flip — knownRansomwareCampaignUse changes from "Unknown" to "Known"; (5) exploit-before-enrichment — exploitation/EPSS/vendor warnings present for CVEs whose NVD enrichment is still incomplete. The VID uplift stacks additively only with approved meta-condition uplifts (currently Remediation Pressure), capped at composite 99. Levels and signals are recomputed daily by a scheduled function (vid-builder.js) that snapshots NVD enrichment state and the KEV catalog into Netlify Blobs; the dashboard reads the snapshot on demand.
Remediation Pressure measures the urgency placed on defenders to act based on current external cyber conditions. It includes patching, but is broader than patching alone. The signal reflects fresh critical vulnerabilities, known exploitation, KEV velocity, exploit availability, ransomware relevance, exposure risk, and conditions where compensating controls or emergency mitigations may be required.
What counts as remediation. Remediation in this context is the full set of defender actions taken in response to external cyber conditions — not just applying vendor patches. ICHI treats the following as remediation work that consumes operator capacity:
What this condition measures today. Four calendar and CVE proxies are used as initial indicators of defender action burden: (a) Patch Tuesday proximity, (b) fresh critical-severity CVE volume, (c) fresh network-reachable bug volume, (d) KEV weaponization velocity. These are good proxies because each one expands the set of remediation decisions defenders must make this week — but they are not the full signal. The scoring math has not yet been rebuilt to incorporate EPSS pressure, exploit-availability references, ransomware relevance, emergency vendor advisories, and explicit network-exposure data. Adding those inputs is planned for a later release. Until that rebuild, the current proxies stand in for the broader signal.
What this condition does not measure. It does not detect AI-assisted exploit research, AI-generated exploit code, or attacker tooling. The condition was previously labeled "AI-Accelerated N-Day Weaponization" (renamed to Patch Window Pressure in r59, then to Remediation Pressure in r63) — the current naming is meant to describe the operator-side consequence (defender action burden), not the attacker-side capability that contributes to it.
| Level | Uplift | Raw score | Operational guidance |
| LOW | +0 | 0 | Standard remediation cadence. Monitor advisories. |
| MODERATE | +2 | 1–2 | Prioritize internet-facing critical CVEs and review available mitigations. |
| SEVERE | +4 | 3–4 | Accelerate remediation for KEV, exploited, ransomware-linked, or network-reachable vulnerabilities. Validate compensating controls, WAF / firewall rules, and exposure reduction. |
| CRITICAL | +6 | ≥5 | Emergency remediation posture. Patch or mitigate immediately, reduce exposure, apply blocking controls, hunt for exploitation, and brief leadership. |
Note: in r63, the surfaced labels in the dashboard (Today's Snapshot card) still read as elevated / high / severe for consistency with prior releases. The operational-guidance bands above (LOW / MODERATE / SEVERE / CRITICAL) describe the same four states with action-oriented framing. A future release will align the surfaced labels.
Raw score components (each independent, additive — these are the unchanged proxies retained from the prior Patch Window Pressure formulation): (a) Patch Tuesday proximity — within 7 days after the 2nd Tuesday of the month: +1; (b) Fresh critical-severity CVEs (CVSS ≥ 9.0, published in trailing 7 days): ≥5 → +1; ≥10 → +2; (c) Fresh network-reachable bugs (CVSS vector contains AV:N, trailing 7 days): ≥3 → +1; ≥6 → +2; (d) KEV weaponization velocity (trailing 30-day median lag between NVD publication and KEV addition): ≤14d → +1; ≤7d → +2. The condition is recomputed daily by ainday-builder.js (internal name retained for route stability). Editorial override: set AINDAY_FORCE=elevated|high|severe|clear as a Netlify env var to pin the level when external conditions warrant a specific public classification. Forced levels are flagged in the Today's Snapshot fact as "(editorial)" for transparency.
The Internet Cyber Health Index is not investment advice. It is not breach attribution. It is not a prediction engine. It is not a substitute for enterprise-specific risk assessment. It is based on public, commercial, and observed cyber-risk indicators. It is designed as a composite signal of digital ecosystem stress.
ICHI is a directional cyber-risk signal, not a deterministic forecast.
The index is maintained by Joe Bernik, a cybersecurity executive who built this as a personal outside-in daily briefing tool. The methodology is open: all sources are public, the weight derivation is published here, and the scoring code runs entirely in the browser and Netlify edge functions.