How It Works

The Technology Behind SecurityScorecard

The Foundation Layer: ThreatMarket

The ThreatMarket™ proprietary data engine collects and correlates hundreds of security-risk indicators as engineered by leading white hat security researchers.


We subscribe to raw data feeds from publicly available open-source malware intelligence resources. These resources are intended for network administrators to add to firewalls, however our alternate use case is the ability to analyze malicious activity originating from these feeds that affect infected enterprises. This process is achieved through the use of our IP mapping technology.

Proprietary Data

The bulk of our data originates from a proprietary collection of security intelligence sensors known as ThreatMarket, an intelligence engine collecting many terabytes of unique datasets per month from home grown: malware analysis pipelines, monitored hacker chatter crawlers, honeypot/sinkhole infrastructures, vulnerability cadence checkers, and deep social engineering sensors.

Data Feeds

The scale of the Internet is immense. While the large majority of our data sets are derived from our own proprietary collection engines, we do subscribe to the leading threat intelligence data feeds to help us fill minor data intelligence gaps. We approach these exclusive high-quality threat intelligence feeds with a ‘checks and balances’ mindset to validate the discoveries from own proprietary findings.

Attribution Layer

Our combined proprietary fingerprinting engines and matching engines are unprecedented in the security industry.

Digital Fingerprinting

Our proprietary fingerprint engine is the full range of any corporations’ public IP address infrastructure not behind a firewall.

Matching Engine

Also proprietary, this engine takes all the risk signals and sensors we collect, matches them to a digital fingerprint to complete attribution.

Contextual Layer

Grades are a composite of 10 security categories that present the information in context:

Web Application Security

The score determines the likelihood of an upcoming web application breach, and non-intrusively checks for any existing exploit codes in a given company’s websites. Presence of vulnerable applications, outdated versions, and active defacements are used to calculate the overall grade.

Network Security

This score matches known vulnerabilities within exposed network services, and identifies server-side vulnerabilities that may impact the enterprise through an attack against a network port. The presence of detected vulnerable versions is used to calculate the overall grade.

Endpoint Security

This score tracks identification points that are extracted from metadata related to the operating system, web browser, and related active plugins, as applied by users within an organization’s computers. We identify outdated versions of these data points which can lead to client-side exploitation attacks.

IP Reputation

Our sinkhole system ingests millions of malware signals from commandeered Command and Control (C2) infrastructures from all over the world. The incoming data is then processed and attributed to corporate enterprises. The quantity and duration of malware infections are used as the determining factor for these calculations.

Social Engineering

This module ingests data from social networks, public data breaches, and blends proprietary analysis methods. The score is calculated based on the quantity of indicators that appear in our collection sensors. We determine whether or not corporate credentials are in use on social networks.

Hacker Chatter

Repositories of underground hacker community discussions are continuously monitored, collected, and aggregated to locate mentions of company names and websites. We monitor active malicious underground resources on the TOR network and other communities not indexed by search engines.

DNS Health

This module measures the health and configuration of a company’s DNS settings. It validates that no malicious events occurred in the passive DNS history of the company’s network and helps validate that mail servers have proper spoofing protections.

Cubit Score

This proprietary algorithmic module reveals an assortment of misconfigurations that a company may have to indicate a poor security posture. Examples include: IP addresses flagged in threat intelligence sources; Exposed administrative domains, misconfigurations of SSL certificates, and weak encryption ciphers.

Patching Cadence

This module analyzes how quickly a company reacts to vulnerabilities to measure patching practices. We look at the rate at which it takes a company to remediate and apply patches compared to peers.

Leaked Credentials

Our deep web monitoring capabilities identify compromised credentials being circulated by thieves and attackers. These come in the form of bulk data breaches announced publicly, as well as smaller breaches, and smaller exchanges between hackers.

Take a tour