Security Assessment

Credential Risk Scoring

Evaluate exposure and rotation hygiene for any credential — v1.1

The Credential Risk Scoring Model v1.1 is a structured framework for evaluating the security posture of any individual credential — API keys, tokens, passwords, certificates, and more. It was designed to make risk quantifiable so teams can prioritize remediation work without guesswork.

The model scores a credential across seven factors — human handling, rotation age, storage security, blast radius, credential lifetime, exposure signals, and automation maturity — then subtracts credit for automation controls that meaningfully reduce risk. The result is a single 0–100 score with a corresponding risk level: Low, Moderate, High, or Critical.

Read the full methodology, design rationale, and "Secret Zero" problem framing in the original blog article. To manage credentials at scale using a secrets-as-code approach, check out secret0.com.

H — Human Handling
How the credential was created and handled (0–40)
R — Rotation Age
How overdue the credential is for rotation (0–30)
S — Storage Security
Where and how the secret is stored (0–30)
B — Blast Radius
How broadly the credential grants access (0–30)
U — Lifetime
Whether the credential expires naturally (0–25)
E — Exposure
Observable signals of past or current leakage (0–45)
A — Automation
Controls that actively reduce exposure risk (−35 max)
H Human Handling Score: 0
R Rotation Age Score: 0
S Storage Security Score: 0
B Blast Radius Score: 0
U Credential Lifetime Score: 0
E Exposure Signals Score: 0
A Automation Maturity Score: 0
CRED-SCAN E1M1
HEALTH 100 %
SECURE
THREAT
🛡️
STORE
0
BLAST
0
EXPOSE
0
AUTO
0
CLEARED RISK: 0/100
Score Breakdown
Total Risk Score
0 /100
Low
No immediate action required.
Score Breakdown
H Human handling
0
R Rotation age
0
S Storage security
0
B Blast radius
0
U Credential lifetime
0
E Exposure signals
0
A Automation (reduction)
0