Your cybersecurity journey starts with trust

How are your cybersecurity ratings created?

SecurityScorecard ratings are created by: discovering the attack surface of an organization from the outside; picking up signals non-intrusively about that organization that indicate what’s happening inside the organization; and applying a statistical model that is based on nine years of historical data showing how organizations perform compared to others.

Do I need to pay to access, improve, or challenge my SecurityScorecard rating?

Never. Any organization can access its scorecard for free and annotate it with internal information (such as SOC 2 documentation and compliance certifications) to ensure its voice is heard. In turn, we share recommendations with organizations on how they can improve their scores and become more resilient. This can all be done free of charge.

Will I get breached even if I have an “A” rating? 

Validation testing uncovered that companies with an A rating are 7.7X less likely to experience a breach than those with an F rating. But if a determined group of hackers or a nation-state decides to target an organization — even one with an “A” rating — it can get breached. Using the SecurityScorecard platform, customers can identify and plan for clear areas of improvement and thus reduce their cyber risk. Additionally, SecurityScorecard offers cyber resilience services such as Digital Forensics and Incident Response which can help you quickly triage a breach, stop further damage, investigate the source, and develop actionable reporting.

What is the frequency of your scans?

SecurityScorecard non-intrusively scans the entire IPv4 web space, more than 3.9 billion routable IP addresses, every 10 days across more than 1,400 ports.

Do cybersecurity ratings only include outside-in data? 

SecurityScorecard finds external-facing assets from the outside-in that can often indicate to an organization what’s happening on the inside, for instance: how diligently a browser’s operating system is patched, or the reaction time to malware. However, we also ingest inside-out info from organizations in order to provide more context into their internal security practices; organizations can list their security policies and provide documentation to support compliance with SOC 2, payment card industry (PCI) standards, HIPAA, and more. Organizations are also encouraged to submit questionnaires, claim profiles, and more.

Do ratings take into account internal compensating controls? 

While the visible Internet attack surface is the main target for cyberattacks—and generally a reflection of an organization’s cybersecurity posture—there’s a chance that there are internal vulnerabilities that we don’t see and aren’t represented in the overall score. However, SecurityScorecard calibrates our algorithms to account for this, and it’s why we allow any organization to provide additional context by contributing evidence of their internal security controls through internal security tools (such as XDR/EDR) integrations.

If I think my score is inaccurate, what can I do?

SecurityScorecard offers a straightforward refute process that enables collaboration; is equally open to customers and non-customers; and encourages users to manage, validate, and make corrections as needed. If you believe your rating is inaccurate, our team is quick to respond with the industry’s fastest and most accurate refute process, while still maintaining credibility of the score.

How long does it take to update my score?

After you submit a resolution or removal request, our customer support team will review the request and any supporting evidence within 48 hours. If your requests are approved by our support team, your new score will be reflected on your Scorecard as a Projected Score within a few minutes. If more action is needed, you will receive an explanatory email.

Will my score be accurate if I own a small or medium-sized business (SMB)?

Our cybersecurity ratings are designed to find signals on any company, big or small; whether your organization has one IP address or one million. While there are enough signals provided by SMBs, there may be an overly positive perception of their security postures because their Internet attack surface is small. To increase accuracy, organizations should provide contributory evidence (such as: network designations, security policies, compliance validation, and more).

Can I get an accurate score if I’m a cloud or telecommunications provider? 

ISP/telecom providers have vast numbers of IP addresses. As a result, it can be difficult to attribute assets between their own corporate domains and the ones controlled by customers. Overall, this segment requires a more nuanced way of attribution. The security ratings industry is working on this challenge, and as the category advances we should see a more sophisticated approach to addressing this domain attribution issue.

How can I use ratings with my board of directors? 

Use this template to communicate benchmarking, reduce supply chain risk, and prove the effectiveness of security investments. Download the template and make it your own.

How can I use ratings to lower my cyber insurance?

Identify and plan for clear areas of improvement and reduce your cyber risk, which can result in validation with a higher security rating and, ultimately, a lower cyber insurance quote.

How can I use ratings to monitor my third parties?

Obtain visibility into your cyber risk exposure by using security ratings to continuously monitor and measure the security posture of the third parties in your entire vendor ecosystem.