Legacy Risk Strategies End-of-Life Announcement
Copy link

On January 21, 2026, we are deprecating our legacy risk strategies:

  • Real Risk
  • Temporal
  • TemporalPlus
  • Weighted
  • PCI ASV 2.0

Impact
Copy link

Legacy risk strategies will be automatically replaced by our enhanced Active Risk algorithm, which is already available. Active Risk  incorporates CVSS v3.0+ standards, real-world exploit intelligence from additional sources such as AttackerKB , and comprehensive attack vector analysis. Your current dashboards and reporting will work normally throughout 2025, giving you time to transition smoothly without affecting your security metrics or SLAs. Active Risk has enhancements planned for January 5, 2026, which will provide even more robust risk assessments.

ℹ️

Risk scores may appear higher initially due to the improved calculation methodology

Higher risk scores do not necessarily indicate new vulnerabilities, but instead reflect a more accurate risk assessment to help you better secure your organization. We recommend reviewing your executive dashboards and reporting thresholds after the transition to ensure they align with the enhanced scoring system.

Active Risk
Copy link

Active Risk is Rapid7’s recommended built-in strategy for assessing and analyzing vulnerability risk on a scale of 0-1000. Active Risk uses the latest CVSS score with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, Project Lorelei, CISA KEV list, and other third-party dark web sources to provide security teams with a threat-aware vulnerability risk score and to help prioritize remediation for the most critical vulnerabilities.

Active Risk provides the following benefits:

  • Prioritize with intent: Focus on vulnerabilities with actual working exploits, not just theoretical risks
  • Gain real-world context: Take action based on risk scores that reflect the active threat landscape and attacker behavior
  • Accelerate response: By identifying which vulnerabilities attackers are actively targeting, your team mobilizes more effectively
  • Future-proof model: Take into account emerging risk factors, including planned updates to real-world exploitability rolling out after January 1, 2026.

For more information, read our overview of Active Risk .

Planned Active Risk Enhancements
Copy link

Active Risk is designed to be a future-proof model that continuously incorporates emerging risk factors. As a result, on January 5, 2026, we will be rolling out enhancements to our Active Risk vulnerability scoring methodology to provide more precise risk assessments based on advanced threat intelligence and current security frameworks.

Why is this enhancement critical?

Modern threat landscapes require more nuanced vulnerability assessment beyond traditional CVSS scoring. Our enhanced methodology now incorporates critical risk factors that significantly impact real-world exploitability, including:

  • End-of-Life (EOL) Software Vulnerabilities: Increased risk of software that will never receive security updates and remain vulnerable indefinitely
  • Zero-Day Vulnerabilities: Vulnerabilities that are being actively exploited in the wild before patches or other defensive mechanisms are available
  • Advanced Threat Intelligence Integration: Incorporating real-time exploitation intelligence from threat feeds and software lifecycle status and support timelines

What is the impact on my environment?

Our refined algorithm will deliver more accurate vulnerability prioritization tailored to real-world risk scenarios. While most scores will remain consistent, you may notice some vulnerabilities receiving updated risk ratings, including changes to severity categories, to more accurately reflect their security impact. Please note no changes will be made to risk score calculations until January 5, 2026.

You can expect the following changes to Active Risk:

  • Higher priority scores for EOL software vulnerabilities (reflecting permanent risk)
  • Critical ratings for actively exploited zero-day vulnerabilities
  • Better alignment with actual attacker behavior and exploit availability
  • Recategorization of some vulnerabilities to reflect improved risk assessment

Frequently Asked Questions
Copy link

To support you through this change and answer frequently asked questions, we have the following answers and resources available.

How do I migrate to Active Risk?
Copy link

Before migrating to Active Risk, read through our migration guide  and begin the transition to Active Risk as soon as possible. To migrate to Active Risk , go to the Administration Tab > Vulnerabilities > Risk Score Settings > Risk Strategy > Active Risk. Only a user with the permission “configure global settings” can change the risk strategy settings.

How does Active Risk impact my scoring methodology?
Copy link

Review our risk strategies product documentation , which provides an in-depth description of the new risk scoring strategy.

What are the differences between Real Risk and Active Risk?
Copy link

Review this comparison brief  which shows how Active Risk will change the vulnerability risk score for 10 CVEs compared to Real Risk and its subsequent impact on asset risk score.

Will Active Risk change how asset risk is calculated?
Copy link

Active Risk will only change how vulnerability risk is calculated. It will not change how asset risk is calculated, but it will have an impact on the risk score of an asset.

  • Asset risk accounts for the risk score of each vulnerability on the asset, the number of instances of that vulnerability and any criticality modifiers (tags) to calculate asset risk score. If the risk score for a specific vulnerability increases, assets containing that vulnerability would also see an increase in the overall asset risk score.
  • The asset risk score will continue to remain unbounded Real Risk Score Comparison by Active Risk and Real Risk to see how Active Risk changes asset risk score.

Will Active Risk have any impact on the existing asset criticality tags and asset risk score adjustment values when calculating the risk score of an asset?
Copy link

Active Risk is the new model for calculating vulnerability risk scores. While a vulnerability risk score has an impact on the asset risk score, the way asset risk score is calculated remains the same. (See previous question). Today, customers can tag assets with criticality tags. Under the Risk Score Adjustment section, customers can choose to have those criticality tags adjust the risk score of an asset. Asset criticality tagging and subsequent score modifier will not be impacted with Active Risk. Criticality tags can still be used as is.

Will historical vulnerability scores be recalculated?
Copy link

You will not have the option to recalculate historical data. Any trending or historical data prior to switching to Active Risk will reflect your current risk strategy calculations. Any trending or historical data from the date of switching to Active Risk and forward, will reflect Active Risk calculations.

If I migrate before January 5th, will scores change again?
Copy link

Yes, your scores for EOL software and actively exploited zero-day vulnerabilities will increase.

Which dashboard cards and reports will see a change in reporting?
Copy link

Reports and dashboard cards that use vulnerability risk scores or asset risk scores will change when you move to Active Risk. Popular reports include Executive Risk Summary, Top Remediations with Detail, Audit Report, and more. Dashboard cards include Newly Discovered Exploitable Vulnerabilities by Total Risk Score, Most Common Exploitable Vulnerabilities, and more.

Are there any new dashboard cards to support Active Risk?
Copy link

We are adding two new dashboard cards to help you understand the vulnerabilities based on Active Risk:

  • Vulnerability Findings by Active Risk Score Severity indicates total number of vulnerabilities across the Active Risk severity levels and number of affected assets and instances. Ideal for executive reporting.
  • Vulnerability Findings by Active Risk Score Severity and Publish Age shows number of vulnerabilities across the Active Risk severity levels AND by publish age. Ideal for sharing with remediation stakeholders to prioritize vulnerabilities for next patch cycle (ex: publish age is between 0-29 days) or identify critical vulnerabilities that may have been missed (ex: publish age is greater than 90 days).

What other resources are available to help me understand this change?
Copy link

A brief video overview  is available on-demand, covering common questions that customers have asked us. Our experts provided specific examples of how some vulnerabilities are scored differently, best practices for preparing your transition to the new scoring methodology, and resources to ensure a successful cutover. If you have any questions or concerns, reach out to Rapid7 Support using “Active Risk Migration” in the subject line of your ticket. You can create a ticket from the Insight Platform  by navigating to the question mark in the top right and selecting “Go to Customer Portal”.