Security ratings are commonly used by third-party risk management (TPRM) teams to manage vendors, investment targets, and insurance applicants, as well as internal security teams during their cybersecurity performance management process.

UpGuard’s proprietary scanning infrastructure monitors and collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.

To produce an organization's security rating, UpGuard calculates a weighted average of the automated scan data for owned assets and combines that with the organization's questionnaire score (if applicable). Automated scanning contribute 50% of the overall security rating, with the questionnaire score contributing the remaining 50%.

Each category is given a weighting based on the total number of risks in the category and the severity of the category's risks. If you have many open risks with high severities in a category, that category will receive more weight toward your organization's security rating.

UpGuard analyzes and calculates a security rating out of 950 using a proprietary, subtractive scoring algorithm. Assets begin with a complete score of 950 and then decrease as they fail cybersecurity review for specific threat signals. Deductions are weighted by the severity of the risk (critical, high, medium, low). While the security rating can be indicative of your external security posture, it's also important to assess how your score is affected.

You receive both a numeric score out of 950 and a corresponding letter grade: