Strengthen your security posture with the Common Configuration Scoring System for misconfigured production environments

Misconfigured components in production remain one of the most common-and most preventable-sources of security risk. To help you better understand and prioritize your organization's misconfiguration issues, Dynatrace Security Posture Management (SPM) introduced severity classification labels for all misconfiguration findings based on the Common Configuration Scoring System (CCSS). CCSS provides a standardized, vendor-agnostic way of assessing configuration weaknesses that allows for clear, consistent scoring across diverse environments.

By aligning our findings with CCSS, teams can now compare misconfigurations across different frameworks, benchmarks, and technology stacks using a unified metric. This not only improves prioritization and triage but also strengthens communication between security, operations, and compliance teams. Whether you're evaluating a Center for Internet Security (CIS) benchmark, the Digital Operational Resilience Act (DORA) framework, or Defense Information Systems Agency Security Technical Implementation Guides (DISA-STIGs), severity is now measured on the same transparent and repeatable scale-making it easier than ever to focus on what matters most.

How Dynatrace determines misconfiguration severity levels

By leveraging CCSS, Dynatrace researchers and domain experts evaluate the severity of configuration weaknesses by scoring them using metrics that capture the intrinsic characteristics of each misconfiguration-such as how easy it is to exploit and its potential impact. These metrics are combined into a numerical score that maps to a severity level (low, medium, high, or critical), providing a consistent and repeatable way of measuring configuration risk.

Specifically, these metrics can be summarized along three focus areas:

• Likelihood (L): Measures how easily a misconfiguration can be exploited. It considers factors such as required access level, required system knowledge, authentication requirements, and whether exploitation is automated or manual.
• Technical Impact (TI): Assesses the degree to which a misconfiguration affects confidentiality, integrity, and availability if exploited.
• Configuration Impact (CI): Captures risk related to the misconfiguration itself-how significantly it weakens expected security controls or baselines.

How it works

Our security research team recently evaluated the Ensure that the -authorization-mode argument is not set to AlwaysAllow rule from the CIS Kubernetes benchmark. This check describes a configuration in which the Kubernetes API server allows all requests-this rule should not be used in any production environment.

Our internal researchers and Kubernetes experts assessed this rule as follows:

This assessment results in a severity classification of Critical, which is appropriate, as the CIS benchmark states that this configuration should not be used in a production Kubernetes cluster.

The severity of each misconfigured rule is tracked in the Dynatrace Security Posture Management app, where each rule's severity label is assigned by a domain expert, ensuring the highest assessment quality.

Impact on the current rule severities in Security Posture Management

The new rule-severity level assessments in the Security Posture Management app will replace the current labels, which are based on different factors and vendor classification. While the current severity labels aren't wrong, depending on the rule-benchmark vendor, they sometimes focus on different areas. For example, rules might be classified by how difficult they are to implement in a given configuration in a specific environment.

By adopting the Common Configuration Scoring System for all misconfiguration findings in Dynatrace SPM, we're taking a major step toward delivering clearer, more transparent, and more actionable security insights. This standardized, expert-driven severity model ensures that every rule-across every benchmark-is evaluated with the same rigor and security-focused methodology. As a result, teams can make better-informed decisions, prioritize risk more effectively, and maintain a consistent understanding of configuration health across their entire environment. While some individual rule severities will change with the transition, the outcome is a stronger, more reliable foundation for managing configuration risk at scale.

What you need to do

With the new CCSS-based classifications, we ensure that each benchmark in SPM receives a unified, security-focused rule classification. The current severity label of a rule might change when the CCSS-based classification is deployed with Dynatrace version 1.334. If you're on Dynatrace SaaS, this change will happen automatically when version 1.334 is rolled out in March 2026. If you're on Dynatrace Managed, an update to Dynatrace Managed version 1.334 (or later) is required.