Skip to content

User Risk Scoring

User Risk Scoring provides a composite risk score for every user in your organization, calculated from behavioral signals, security events, and access patterns. Scores range from 0 (lowest risk) to 100 (highest risk) and update continuously as new events occur. When a user’s score crosses a configurable threshold, Breeze can automatically assign security training, send notifications, and flag the user for access review.

This feature combines three related capabilities:

  • Risk scoring – numeric scores with factor breakdowns and trend tracking
  • Risk events – a timeline of security-relevant user activities
  • Access reviews – periodic certification of user permissions with automated revocation

Score Range Level Description
0 - 39 Low Normal user behavior, no action needed
40 - 69 Medium Some risk indicators present, monitor closely
70 - 84 High Elevated risk, consider intervention
85 - 100 Critical Immediate attention required

Each risk score includes a trend indicator showing how the score has changed over time.

Trend Meaning
up Score is increasing (risk is growing)
down Score is decreasing (risk is declining)
stable Score has remained steady
Severity Description
low Minor event with minimal risk impact
medium Moderate event that contributes to risk
high Significant event that notably increases risk
critical Severe event requiring immediate investigation

Each risk score includes a factors object that breaks down the score by contributing category. The total score is a weighted sum of all factor scores. Both the individual factor scores and the weights are visible in the risk detail view.


Breeze evaluates eight distinct risk factors for every user. Each factor produces a score from 0 to 100, and the final composite score is a weighted average of all eight. The table below describes each factor, what data feeds it, and its default weight.

Factor What increases it Default weight
MFA risk User does not have MFA enabled (score jumps to 90 if MFA is off, 10 if on) 14%
Auth failure risk Failed logins or denied access attempts in the last 30 days. Each failure adds 18 points 20%
Session anomaly risk Logins from many distinct IP addresses, or an unusually high number of sessions in 30 days 10%
Threat exposure risk Active security threats on devices the user is associated with. Critical threats contribute 35 points each, high 22, medium 12, low 5 20%
Software violation risk Devices with software compliance violations (e.g., unapproved or outdated software) 15%
Device security risk Low security posture scores on the user’s associated devices (calculated from the latest security posture snapshot) 10%
Stale access risk Time since the user last logged in. Less than 7 days = low risk; over 90 days = high risk 6%
Recent impact risk Cumulative score impact from risk events recorded in the last 14 days 5%

Breeze matches users to devices using the last logged-in user reported by each device. The matching is case-insensitive and supports several identity formats: email address, username, DOMAIN\user notation, and name variants. A single user can be associated with multiple devices.

The score boundaries between risk levels are configurable:

Threshold Default Description
Medium 50 Score at or above this level is considered medium risk
High 70 Score at or above this level triggers high-risk notifications
Critical 85 Score at or above this level requires immediate attention
Spike delta 15 A score increase of this many points in one calculation cycle triggers a spike notification
Auto-assign training 80 Score at or above this level triggers automatic training assignment (if enabled)

To change these thresholds, navigate to Settings > User Risk > Policy and adjust the values under the Thresholds tab.


Navigate to the User Risk section in the Breeze dashboard to see a paginated list of all users ranked by their current risk score.

The scores list includes summary statistics:

Metric Description
averageScore Mean score across the current result set
highRiskUsers Count of users with a score of 70 or above
criticalRiskUsers Count of users with a score of 85 or above
Filter Type Description
orgId UUID Filter by organization
siteId UUID Filter by site
minScore Number (0-100) Minimum score threshold
maxScore Number (0-100) Maximum score threshold
trendDirection up, down, stable Filter by score trend
search String Search by user name or email
page Number Page number (default: 1)
limit Number Results per page (1-200, default: 25)

Click on any user to view their full risk profile, including:

  • Current score with factor breakdown
  • Score history and trend
  • Recent risk events
  • Organization membership details

Risk events are individual security-relevant activities associated with a user. Each event has a severity level and a scoreImpact value indicating how much it affects the user’s risk score.

Field Type Description
eventType String Category of the event (max 60 chars)
severity Enum low, medium, high, or critical
scoreImpact Integer Point value added to the user’s risk score
description Text Human-readable description of the event
details JSON Structured data about the event
occurredAt Timestamp When the event occurred
Filter Type Description
orgId UUID Filter by organization
userId UUID Filter by specific user
eventType String Filter by event type
severity Enum Filter by severity level
from ISO datetime Events on or after this time
to ISO datetime Events on or before this time
page Number Page number (default: 1)
limit Number Results per page (1-500, default: 50)

Each organization has a configurable risk policy that controls how scores are calculated, what thresholds trigger interventions, and what automated actions are taken.

Weights determine how much each risk factor contributes to the total score. They are expressed as a key-value map where keys are factor names and values are numeric multipliers.

{
"failedLogins": 2.5,
"unusualLocation": 3.0,
"privilegeEscalation": 5.0,
"policyViolation": 4.0,
"overdueTraining": 1.5,
"staleCredentials": 2.0
}

Higher weights mean that factor has a greater impact on the overall score.

  1. Navigate to Settings > User Risk > Policy.
  2. Adjust weights, thresholds, or intervention settings.
  3. Click Save. Changes take effect immediately for future score calculations.

When a user’s risk score exceeds the configured threshold, Breeze can automatically assign security training. You can also manually assign training to any user.

  1. Navigate to the user’s risk detail page.
  2. Click Assign Training.
  3. Optionally select a specific training module and provide a reason.
  4. Click Assign. The assignment is recorded as a risk event.
Field Required Description
userId Yes Target user ID
orgId No Organization ID (resolved from auth context if omitted)
moduleId No Specific training module to assign
reason No Reason for the assignment (max 500 chars)

If the same training module is already assigned to a user and has not been completed, the assignment is deduplicated. The API response includes a deduplicated: true flag to indicate this.


Access reviews provide a structured process for periodically certifying that users have the correct permissions. A reviewer examines each user’s role and permissions, then makes a decision to approve or revoke access. When the review is completed, revocations are automatically applied.

Status Description
pending Review created, no decisions made yet
in_progress At least one item has been reviewed
completed All items decided and revocations applied
Decision Description
pending Not yet reviewed
approved Access confirmed as appropriate
revoked Access flagged for removal
  1. Navigate to Settings > Access Reviews.
  2. Click New Access Review.
  3. Provide a name, optional description, and due date.
  4. Optionally assign a reviewer (defaults to the current user).
  5. Click Create. Breeze automatically generates review items for every user in the current scope (partner or organization) with their current role assignments.
  1. Open the access review from the list.
  2. For each user, review their role, permissions, last login date, and email.
  3. Set the decision to Approved or Revoked. Optionally add notes.
  4. Repeat for all users.

Each review item shows:

  • User name and email
  • Assigned role name
  • Detailed permissions list (e.g., devices:read, scripts:execute)
  • Last active date
  • Current decision status
  1. Ensure all items have a decision (no pending items remain).
  2. Click Complete Review.
  3. Breeze automatically removes access for all revoked users:
    • Partner reviews: Revoked users are removed from partner_users
    • Organization reviews: Revoked users are removed from organization_users
  4. The review is marked as completed with a timestamp.

All endpoints require authentication with organization, partner, or system scope. Mounted at /api/v1/user-risk.

Method Path Permission Description
GET /scores users:read List risk scores with filters and summary stats
GET /users/:userId users:read Get detailed risk profile for a specific user
GET /events users:read List risk events with filters
GET /policy users:read Get the current risk policy for the organization
PUT /policy users:write Update the risk policy (weights, thresholds, interventions)
POST /assign-training users:write Assign security training to a user

All endpoints require authentication. Mounted at /api/v1/access-reviews.

Method Path Permission Description
GET / users:read List all access reviews for the current scope
POST / users:write Create a new access review with auto-generated items
GET /:id users:read Get review details with all items, roles, and permissions
PATCH /:id/items/:itemId users:write Update the decision on a review item
POST /:id/complete users:write Complete the review and apply revocations

“Organization context required” errors

Section titled ““Organization context required” errors”

Risk scoring endpoints require an organization context. If you are using a partner or system scope, include the orgId query parameter to specify which organization to query.

“User not found in accessible organizations” (404)

Section titled ““User not found in accessible organizations” (404)”

When viewing a user’s risk detail, the user must exist in at least one organization that your account has access to. If the user exists in multiple organizations, include the orgId parameter to specify which one.

Training assignment returns deduplicated: true

Section titled “Training assignment returns deduplicated: true”

This means the same training module was already assigned to the user and has not been completed. No duplicate assignment was created. This is expected behavior, not an error.

“Cannot complete review with pending items” (400)

Section titled ““Cannot complete review with pending items” (400)”

All review items must have a decision (approved or revoked) before the review can be completed. Review the items list and make decisions on any remaining pending entries.

“Cannot modify completed review” (400)

Section titled ““Cannot modify completed review” (400)”

Once a review is completed, its items cannot be changed. Create a new access review if additional changes are needed.

Risk scores are recalculated when new events occur. If scores appear stale, check that risk events are being generated correctly and that the risk policy has weights configured for the relevant factor types.

Access reviews generate items based on the users in the current scope at the time of creation. Users added after the review was created will not appear. Create a new review to include recently added users.