In Kenna, all vulnerabilities have 4 possible statuses: Open, Closed, Risk Accepted, & False Positive.
When utilizing the Risk Accepted vulnerability status, Kenna’s “True Risk Score” can help identify how much risk is truly present in your environment. Your “true risk score” for any given risk meter is calculated to include all risk accepted vulnerabilities that would fall into that asset group IF they were not risk accepted. It lets you ask yourself, “What would my Risk Meter score be if none of the vulnerabilities had been marked risk accepted?”. This is what Kenna deems your “True Risk Score” for that group of assets.
For those more familiar with risk reporting terms, the risk meter score is "Residual Risk" and the True Risk score is "Inherent Risk".
The “True Risk Score” of any Risk Meter can be found on the reporting page, in the Group Overview at the top (shown below). The link in blue is a count of the "risk accepted" vulnerabilities and clicking it will take you to the Explore page, filtered to view those specific vulnerabilities only.
If the Risk Meter has no Risk Accepted vulnerabilities, the “True Risk Score” metric will not appear, and the default block, risk score from 90 days ago, will display as shown below.
If using the API to pull risk meter reporting data from the Asset Groups endpoint, the True Risk score will always be included in the response regardless of whether there are Risk Accepted vulnerabilities or not. In the case that there are no Risk Accepted vulnerabilities, the Risk Meter score and True Risk score will be identical.