diff --git a/policy/cnspec_policy.proto b/policy/cnspec_policy.proto
index 9e77da7a..0d025be6 100644
--- a/policy/cnspec_policy.proto
+++ b/policy/cnspec_policy.proto
@@ -194,6 +194,65 @@ message RiskFactor {
   bool is_absolute = 72;
   repeated SoftwareSelector software = 73;
   repeated ResourceSelector resources = 74;
+  // Risk Factor indicators are freely configurable. Currently we support:
+  //
+  // 1. Contextual risks
+  //
+  // - Internet-facing asset   [internet-facing]
+  //   Any assets that are facing the internet may be at risk of being breached
+  //
+  // - Asset or service in use   [asset-in-use]
+  //   Assets or services that are currently being used. If vulnerabilities
+  //   are found on an asset in use, their priority is increased. However,
+  //   vulnerabilities on an asset not in use may be reduced in priority.
+  //
+  // - Exploitable vulnerabilities   [exploitable]
+  //   Exploitable vulnerabilities are detected on the asset. These are more
+  //   likely to lead to a breach.
+  //
+  // - Code Execution risks   [code-execution]
+  //   Vulnerabilities are detected which contain (remote) code executions.
+  //   These can cause serious damage to other resources on the asset.
+  //
+  // - End of life   [eol]
+  //   The asset or some of its resources have reach their end of life and
+  //   no longer receive security updates. Vulnerability analysis is
+  //   unreliable and may not be actionable.
+  //
+  // - Defensive countermeasures   [defensive]
+  //   Defensive countermeasures have been detected on the asset. These may
+  //   contain security modules, firewalls, or other mitigations.
+  //
+  // 2. Downstream exposure
+  //
+  // - DB access   [db-access]
+  //   Databases are downstream exposures that may hold valuable customer data
+  //
+  // - User risks   [user-risk]
+  //   Users, often with elevated privileges, that are at risk
+  //
+  // - Sensitive data   [sensitive-data]
+  //   The asset contains sensitivie data, which an attacker may access if
+  //   they manage to breach it.
+  //
+  // - Credential risks   [credentials]
+  //   Credentials are found on the asset that attackers may use to elevate
+  //   their privileges or breach other systems.
+  //
+  // - Containers or Kubernetes   [containers]
+  //   Containers or Kuberenetes environments are found ont he asset. Attackers
+  //   may expand their attacks to these virtual systems.
+  //
+  // 3. Misc
+  //
+  // - Tagged assets   [tagged]
+  //   Tagged assets may be increased or decreased in priority, depending on
+  //   a users' needs. For example: Critical production infrastructure may
+  //   increase the risk of findings.
+  //
+  // - Other risks   [uncategorized]
+  //   This captures any other type of risk factor, that doesn't fit the above
+  //   risk categories.
   string indicator = 75;
 }