UpGuard's Proprietary Scoring Algorithm
We collect data on a daily basis through trusted commercial, open-source, and proprietary methods. This allows us to evaluate the external security posture of Internet-facing assets.
The output of this data collection process is analyzed by our proprietary scoring algorithm to produce a score out of 950.
The scoring algorithm is subtractive, in that assets start with a score of 950 and have points subtracted for each check they fail.
The number of points deducted is based on the severity of the underlying risks. These underlying risks are categorized into critical, high, medium, and low risk.
The closer an asset's security rating is to 950, the better its external security posture and the lower its residual risk exposure.
While scores can be indicative of your external security posture, it’s just as important to monitor where your score is being affected. For a more detailed look at how risks are impacting your overall score, we recommend using the Remediation Planner.
Weighted average security ratings
To produce an organization's security rating, we take a weighted average of all the automated scanning security ratings of their domains and IP addresses and combine that with the organization's questionnaire score (if applicable).
The automated scanning scores contribute 50% of the overall security rating and the questionnaire score contributes the remaining 50%.
Our in-house security research team is constantly adding new checks over time, which means we update our scoring algorithm from time to time to better reflect what we consider a best-in-class security posture.
Along with a numeric grade, we produce a letter grade:
Principles of Fair and Accurate Security Ratings
Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.
This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:
Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization who wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
Dispute, Correction and Appeal: UpGuard is committed to working with customers, vendors and any organization who believes their score is not accurate or outdated.
Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
Independence: No commercial agreement or lack thereof, gives an organization the ability to improve their security rating without improving their security posture.
Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.UpGuard's security ratings range from 0 to 950. The higher the rating, the more effective the organization's security practices.
How UpGuard determines the security rating of Domains & IPs
The security rating calculation for a Domain or IP address is based on hundreds of individual checks that can be grouped into the following five categories:
Website security (43% weighting)
Network security (26% weighting)
Brand & Reputation Risk (13% weighting)
Phishing & Malware (9% weighting)
Email Security (9% weighting)
The weighting of each category is decided based on the total number of risks in the category and the severity of the category's risks. The more risks and the higher their severities the more weighting the category receives.