What do the severity levels P0 to P4 mean?

P0 is a critical, business-on-fire incident needing immediate all-hands response. P1 is high severity with major impact. P2 is moderate, P3 is low, and P4 is informational or cosmetic. Lower numbers mean higher urgency and tighter SLAs.

How is the score calculated?

Each answer maps to a weighted point value. Impact factors (data sensitivity, user count, regulatory scope) and urgency factors (exploitability, public exposure) are summed, then bucketed into a severity band. Active exploitation or large-scale PII exposure escalates the result automatically.

Is this a substitute for my company's incident policy?

No. This is a fast triage aid that produces a defensible starting point. Always reconcile the result with your organisation's documented severity matrix and escalation runbooks, which may weight factors differently.

Does any incident data leave my browser?

No. Every calculation runs locally in JavaScript. None of your selections, descriptions, or scores are sent to a server or stored remotely.

Why does regulatory scope raise the severity?

Incidents involving regulated personal data (under GDPR, HIPAA, PCI DSS and similar) carry legal notification deadlines and fine exposure, so they warrant faster response regardless of technical impact.

Security Incident Severity Calculator

When a security incident lands, the first decision is how urgently to respond. Mis-triaging wastes the response team on low-impact issues or, worse, lets a serious breach sit unattended. This calculator turns a short structured questionnaire into a consistent P0 to P4 severity rating with recommended acknowledgement and resolution SLAs. It is aligned with the way most incident-response frameworks (NIST 800-61, FIRST, and common SRE severity ladders) weigh impact against urgency, and it runs entirely in your browser.

How it works

Severity is modelled as impact x urgency, expressed as a points total:

Impact comes from three inputs: the sensitivity of the data exposed (none, internal, customer PII, regulated/financial), the number of affected users (a few, hundreds, thousands, millions), and whether regulated data brings legal deadlines into play.
Urgency comes from two inputs: how exploitable the issue is (theoretical, requires conditions, trivially exploitable) and its public exposure (private, disclosed, or actively exploited in the wild).

Each option carries a weight. The weights are summed, and the total is bucketed:

total >= 18  -> P0 (Critical)
total >= 13  -> P1 (High)
total >= 8   -> P2 (Medium)
total >= 4   -> P3 (Low)
otherwise    -> P4 (Informational)

Two hard escalation rules override the band: active exploitation in the wild forces at least P1, and exposure of regulated PII at scale forces at least P1, because both carry consequences that a raw point total can understate.

Example

A SQL-injection flaw that is trivially exploitable, exposes customer PII for thousands of users, is regulated under GDPR, and has been disclosed publicly will accumulate high impact and high urgency points, landing in the P0 band with an immediate-response SLA.

Tips and notes

Use this at the start of triage to set the initial priority, then refine it as the investigation reveals real scope — severity is not fixed and should be re-evaluated as facts change. Pair a P0 or P1 result involving personal data with the GDPR 72-hour notification timer so the legal clock starts on time. Nothing you enter here is transmitted or stored remotely.