All Collections
The UpGuard Platform
Security ratings
How are UpGuard's Security Ratings Calculated?
How are UpGuard's Security Ratings Calculated?

UpGuard's security ratings are calculated through a proprietary algorithm based on large data collection.

Abi Tyas Tunggal avatar
Written by Abi Tyas Tunggal
Updated over a week ago

Security ratings provide a useful litmus for an organization's security posture and the effectiveness of their security policies as applied to their systems. These security ratings can augment existing assessment practices such as compliance questionnaires, on-site visits, and security testing.

UpGuard can calculate a security rating for any organization with a public internet presence. UpGuard's security ratings range from 0 to 950. The higher the rating, the more effective the organization's security practices.

UpGuard's scoring algorithm

UpGuard’s proprietary scanning infrastructure monitors and collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand to evaluate the external security posture for your internet-facing assets. These security ratings remain up-to-date as our data collection and analysis is conducted daily.

UpGuard calculates a security rating out of 950 through this data collection and analytical algorithmic scoring. The scoring algorithm is subtractive, so assets begin with a complete score of 950 and then decrease as they fail cybersecurity review for specific threat signals. Deductions are weighted by the severity of the risk (critical, high, medium, low).

Your security rating is a weighted average of automated scanning results for your owned assets combined with your questionnaire score (if applicable). Automated scanning contributes 50% of the overall security rating, with the scored risks arising from questionnaires contributing the remaining 50%.

How UpGuard calculates security ratings for domains and IP addresses

The security rating for your owned assets (domains and IP addresses) is calculated through many individual checks that are identified among five categories. Each category has a weight appropriate to its impact on your organization's overall security posture:

  • 43% for Website Security

  • 26% for Network Security

  • 13% for Brand & Reputation Risk

  • 9% for Phishing & Malware Risk

  • 9% for Email Security

The category's weight is based on the total number of risks in the category and the severity of the category's risks. If you have many open risks with high severities in a category, that category will receive more weight toward your organization's security rating.

Understanding your security rating

Your security rating includes both a numeric score out of 950 and a corresponding letter grade. These ratings are a strong indication of an organization's security posture, though we recommend drilling into the individual risks and vulnerabilities that are raised during our data collection process.

These ratings provide insight to your potential attack surface, helping you identify areas of improvement in your security protocols. Here is an overview of the ratings:

  • A — 801-950: Low risk for a data breach in the immediate future; organizations possess strong competencies in creating, adopting, and implementing strong security policies.

  • B — 601-800: Low to medium risk of a data breach in the immediate future; organizations refer to best practice frameworks for security policies and dedicate financial and human resources to implement them, but they may be inconsistently applied across digital surfaces.

  • C — 401-600: Medium to high risk of a data breach in the immediate future; may have already been breached in the last year or are continuously compromised and are unaware.

  • D — 201-400: High risk of being breached in the immediate future or that this organization has already been breached.

  • F — 0-200: Organizations in this range will have multiple points of entry for breach. Any organization in any sector of business in this range does not dedicate close to the appropriate amount of resources to security.

UpGuard's adherence to the Principles for Fair and Accurate Security Ratings

UpGuard adheres to the U.S. Chamber of Commerce's Principles for Fair and Accurate Security Ratings. Because the data UpGuard collects is dynamic and comes from many sources, we believe that these principles provide a strong foundation for our scoring approach.

  • Transparency: UpGuard believes in providing full and timely transparency to our customers and to any organization who wishes to understand their security posture. You can request your free security rating at any time and book a free trial to learn more about our platform.

  • Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors, and any organization who believes their security rating is outdated or otherwise not accurate.

  • Accuracy and Validation: UpGuard's security ratings are data-driven and based on independently verifiable and accessible information.

  • Model Governance: While the datasets and methodologies used to calculate UpGuard's security ratings will change to better reflect how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.

  • Independence: No commercial agreement or lack thereof enables an organization to improve their security rating without improving their security posture.

  • Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. We do not provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.

Further reading

Did this answer your question?