PSVSS
PSVSS, the Physical Security Vulnerability Scoring System, is a lightweight framework for scoring the severity of physical security vulnerabilities on a scale from 0.0 to 10.0.
It is inspired by CVSS, but it is designed specifically for physical security, social engineering, and black teaming scenarios where real-world exploitability matters more than theoretical exposure.
Why PSVSS Exists
Physical security findings are often described well, but scored inconsistently. PSVSS is meant to give operators and customers a simple and repeatable way to prioritize findings without pretending that software-centric scoring models map cleanly onto physical operations.
The emphasis is on exploitability, stealth, access expansion, persistence, and impact. The question is not whether something looks theoretically risky. The question is how dangerous it is in practice.
Core Metrics
PSVSS uses seven metrics to describe how reachable, practical, quiet, durable, and impactful a finding is.
| Code | Metric | Description | Values | Score Contribution |
|---|---|---|---|---|
| AV | Access Vector | Where the attacker starts from. | O = Off-site, P = Perimeter, B = Building | O = 2, P = 1, B = 0 |
| AC | Access Complexity | How difficult the attack is to carry out. | L = Low, M = Medium, H = High | L = 2, M = 1, H = 0 |
| SI | Social Interaction | How much human involvement the attack requires. | N = None, O = Opportunistic, R = Required | N = 2, O = 1, R = 0 |
| DE | Detectability | How likely the activity is to be detected. | L = Low, M = Medium, H = High | L = 2, M = 1, H = 0 |
| EA | Expansion of Access | Whether the foothold can be expanded into more access. | N = None, L = Limited, H = High | N = 0, L = 1, H = 2 |
| PE | Persistence | Whether access can be maintained or repeated. | N = None, T = Temporary, R = Repeatable | N = 0, T = 1, R = 2 |
| IM | Impact | The consequence if the finding is exploited successfully. | L = Low, M = Moderate, H = High, C = Critical | L = 0, M = 1, H = 2, C = 3 |
Scoring Model
Each metric is assigned a numeric value. The scores are added together, divided by the maximum possible score, and multiplied by 10.
To keep the model aligned with severity rather than effort, some metrics are intentionally direction-aware. Lower complexity, less required social interaction, lower detectability, and a more remote starting point all increase severity rather than reduce it.
Severity Levels
- None: 0.0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Vector Format
PSVSS uses a vector string similar to CVSS so that findings can be written and compared consistently.
Worked example: AV:P = 1, AC:L = 2, SI:R = 0, DE:L = 2, EA:H = 2, PE:R = 2, IM:H = 2. That gives a total of 11, which produces a PSVSS score of 7.3 and a severity of High.
Design Principles
- Simplicity over complexity: The model should be easy enough to use consistently during real assessments.
- Real-world attacker focus: The score should reflect practical exploitability, not just abstract weakness.
- Emphasis on stealth, expansion, and persistence: Physical findings are often dangerous because of what they unlock next and how quietly they can be repeated.
- Consistent scoring across engagements: Similar findings should end up with similar ratings from one assessment to the next.
Intended Use
PSVSS is intended for physical security assessments, red teaming, and black teaming engagements. Its job is to make severity clearer, more consistent, and easier to explain when reporting findings to customers.