A raw CSPM scan treats a public S3 bucket and a missing resource tag as equally red. They aren't. ThreatScore, introduced in Prowler 5.6, is the fix: a risk-weighted score that tells you where your actual exposure is, not just how many checks failed.
Almost nobody has explained it yet, so here's the practitioner version.
What ThreatScore actually measures
ThreatScore evaluates your environment across four areas and weights findings by real-world risk factors — exploitability, blast radius, and data sensitivity — rather than counting failures equally.
| Area | What it covers | Why it's weighted high |
|---|---|---|
| Identity & Access Management | MFA, key rotation, over-privileged roles, root usage | Compromised identity = access to everything |
| Attack Surface | Public resources, open ports, internet-reachable services | Directly exploitable from outside |
| Forensic Readiness | CloudTrail coverage, log validation, flow logs | Determines whether you can investigate at all |
| Encryption | Data-at-rest and in-transit protection | Limits blast radius when something is breached |
It's available as a compliance framework across AWS, Azure, and GCP, so a multi-cloud estate gets a comparable score.
Why this beats a raw finding count
Two environments can both have "120 failures." One has 120 low-severity tagging issues; the other has three public databases and no MFA on root. A finding count says they're equal. ThreatScore says one is on fire and one needs tidying. That's the difference between a metric you can act on and a number that just makes everyone anxious.
It also gives you a trend line. "We went from a ThreatScore of X to Y this quarter" is a sentence a CISO can take to a board — far more useful than "we closed 40 findings."
How to read your score
Don't chase a perfect score. Read it by area:
- Attack Surface first. Anything internet-reachable and misconfigured is your highest real risk — fix it before anything else, regardless of how the other areas look.
- IAM second. Identity weaknesses are the pivot attackers use after they get a foothold.
- Forensic Readiness before you think you need it. You can't investigate an incident with logs you didn't keep. This is also exactly what a CPS 234 auditor probes.
- Encryption as the blast-radius limiter — important, but rarely the thing that gets you breached first.
Where it fits in a CPS 234 program
ThreatScore's four areas map cleanly onto APRA expectations: Attack Surface and IAM to implementation of controls, Forensic Readiness to logging and incident management, and the trend line to testing control effectiveness over time. It's a ready-made way to show APRA that your control effectiveness is improving, with a number to prove it. See the full CPS 234 → AWS controls mapping for how each area ties to a clause.
Claim it before your competitors do
ThreatScore is new enough that almost no content explains it — which means it's the term to own. Once you've got a score, the next move is turning the findings behind it into a sequenced plan: From 500 Prowler findings to a plan.
Primary sources: Prowler 5.6 release · Prowler (GitHub)