Proprietary exposure intelligence
What Is Halo Surface Signal?
Halo Surface Signal is a proprietary Halo Threats metric that estimates whether a vulnerability is likely to touch something exposed to the public internet.
A proprietary signal for internet-facing exposure
Halo Surface Signal is a Halo Threats metric that estimates how likely a CVE affects something exposed to the public internet. It focuses on where a vulnerable surface usually lives: public web applications, edge gateways, remote access portals, APIs, management interfaces, developer tooling, or internal systems.
The signal is designed to answer a practical first question: is this the kind of vulnerability that could plausibly sit on an external attack path, or is it usually buried inside private infrastructure, build pipelines, endpoints, or internal management networks?
Why it is different from severity
Traditional vulnerability scores often describe technical impact. Halo Surface Signal is intentionally narrower. It does not try to replace CVSS, EPSS, CISA KEV, exploit intelligence, asset criticality, or remediation policy.
A vulnerability can be severe but rarely public-facing. Another can have modest impact but live on a commonly exposed service. Halo Surface Signal gives teams a separate lens for public attack surface likelihood, so exposure does not get lost inside a generic risk score.
How Halo evaluates the signal
Halo Threats uses AI-assisted analysis, curated vulnerability context, deployment clues, product role, protocol surface, and editorial constraints to produce a plain-language exposure signal. The underlying evaluation is proprietary and intentionally not published as a checklist.
That proprietary layer is what makes the signal useful: it compresses scattered context into a consistent external-exposure view while avoiding the noise of popularity, hype, severity, or active exploitation status.
What the 1-5 scale means
Halo Surface Signal uses a simple 1-5 scale: Very unlikely, Unlikely, Possible, Likely, and Very likely. The labels are intentionally human-readable so security, IT, and executive teams can interpret the signal without decoding a technical formula.
Low scores generally point to local, internal, build-time, client-side, or normally isolated surfaces. Higher scores point toward public web apps, APIs, internet edge devices, remote access systems, identity portals, and other surfaces that are commonly reachable from outside an organization.
What teams should do with it
Halo Surface Signal helps prioritize investigation. A higher signal suggests a CVE deserves faster external exposure review, internet-facing asset search, compensating-control checks, and validation against your own environment.
The signal is not a verdict that your organization is exposed. It is a measuring stick for likely public-facing relevance, designed to help defenders decide where to look first.