Title here
Summary here
Signal Factors & Score Breakdown
The Six Signal Factors
The score breakdown table shows each factor’s contribution to the total score. Each factor row shows:
- Factor name
- Signal confidence (Confirmed / Inferred / Unknown)
- Score contribution out of the factor’s maximum weight
- Detail text explaining what triggered the factor
Factor 1: Anonymous / Public Access (Weight: 35)
- What it detects: Whether the Confluence space allows anonymous (unauthenticated) access, meaning anyone on the internet can view content in that space without logging in.
- Trigger:
anonymousAccess === trueon the space - When active: Full 35 points contributed
- When inactive: 0 points contributed
- Confidence: Confirmed (direct API check, no ambiguity)
- Why it matters: This is the highest-weight factor because anonymous access bypasses all Atlassian user controls. Sensitive content exposed to anonymous access is accessible to the public internet.
Factor 2: External / Guest Users (Weight: 20)
- What it detects: Users with non-organization email domains or guest accounts in the access list for this page or space.
- Trigger: Presence of users whose email domain does not match the primary organization domain, or users flagged as guests in Confluence.
- When active: Contribution scales with the number of external users detected
- Confidence: Inferred (domain matching is heuristic; email domains may not perfectly identify org boundaries)
- Why it matters: External users may not be subject to your organization’s data handling policies and may retain access after their engagement ends.
Factor 3: Broad Group Access (Weight: 15)
- What it detects: Groups with 100 or more members that have access to this page or space.
- Trigger: Any group in the access list has
memberCount >= 100(configurable thresholdBROAD_GROUP_THRESHOLD = 100) - When active: Contribution scales with the number of broad groups
- Confidence: Confirmed if member count was retrieved; Inferred if count was estimated from cache
- Why it matters: Broad groups (“all-staff”, “all-confluence-users”) effectively grant access to a large portion of the organization, making individual access management impractical.
Factor 4: Restriction Weakness (Weight: 10)
- What it detects: Whether the page has no page-level restrictions set, inheriting all space permissions by default.
- Trigger:
hasPageRestrictions === false - When active: Full 10 points contributed
- When inactive: 0 points (page has explicit restrictions set)
- Confidence: Confirmed
- Why it matters: Page-level restrictions provide an additional layer of access control beyond space permissions. Their absence means anyone with space access can view the page.
Factor 5: Active Findings (Weight: 15)
- What it detects: The number of open or triaged security findings linked to this specific page.
- Trigger:
findingCount > 0for findings associated with this page’s content ID - When active: Contribution scales with finding count
- Confidence: Confirmed (direct database query against findings)
- Why it matters: If a page already has known security issues (detected credentials, PII, etc.), those active findings compound the exposure risk.
Factor 6: Sensitivity Label (Weight: 5)
- What it detects: The content classification level assigned to this page or space.
- Trigger: A classification label is set
- Risk values:
- Public: 0.0 (no contribution)
- Internal: 0.3 (1.5 points at full weight)
- Confidential: 0.7 (3.5 points at full weight)
- Restricted: 1.0 (5 points at full weight)
- Confidence: Confirmed if a label exists; the absence of a label contributes 0
- Why it matters: Sensitive content that is also widely accessible represents a higher risk than less-sensitive content with the same access configuration.
Note: The default weights above (35/20/15/10/15/5) can be adjusted by Admins in Admin > Scoring & SLA. If your Admin has customized the weights, the maximum contributions shown in the breakdown will differ from the defaults.
Signal Confidence Levels
Each factor in the breakdown carries a confidence indicator:
| Confidence | Lozenge Color | Meaning |
|---|---|---|
| Confirmed | Green | Signal was verified directly via a Confluence API call with a definitive response |
| Inferred | Orange | Signal was estimated or derived from incomplete data (e.g., email domain heuristics, cached group counts) |
| Unknown | Gray | Signal data was not available or the API returned insufficient information |
When any factor shows Unknown confidence, the exposure score badge shows a ~ prefix (e.g., ~67) and a tooltip warns that the score is incomplete. This typically happens when the Confluence API does not return group membership data for large IdP-synced groups.
The Signal Breakdown Panel
The Score Breakdown section (below the score circle) is a table with one row per factor. Reading each row:
- Factor name: Bold when the factor is active (contributing points); muted when inactive
- Signal confidence lozenge: Green (Confirmed) / Orange (Inferred) / Gray (Unknown)
- Score: The contribution in the format
+N /Wwhere N is the actual points contributed and W is the maximum weight. Example:+15 /15means the factor is at full contribution;+7 /15means partial contribution. - Detail: A plain-English explanation, e.g., “2 external users detected”, “3 broad groups (all-staff: 1,250 members; all-engineers: 380 members)”