How are UpGuard's Security Ratings Calculated?

UpGuard's security ratings are calculated through a proprietary algorithm based on large data collection.

Written by Abi Tyas Tunggal

Updated for the 12 August 2024 security ratings release.

Security ratings provide a useful litmus for an organization's security posture and the effectiveness of their security policies as applied to their systems. These security ratings can augment existing assessment practices such as compliance questionnaires, on-site visits, and security testing.

UpGuard can calculate a security rating for any organization with a public internet presence. UpGuard's security ratings range from 0 to 950. The higher the rating, the more effective the organization's security practices.

Upguard's scoring algorithm

UpGuard’s proprietary scanning infrastructure monitors and collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand to evaluate the external security posture for your internet-facing assets. These security ratings remain up-to-date as our data collection and analysis is conducted daily.

UpGuard calculates a security rating out of 950 through this data collection and analytical algorithmic scoring. The scoring algorithm is subtractive, so assets begin with a complete score of 950 and then decrease as they fail cybersecurity review for specific threat signals. Deductions are weighted by the severity of the risk (critical, high, medium, low).

The score generated from the automated external scanning can be combined with the scores of your questionnaires to gain a more accurate measurement of your risk. Your security rating is then a weighted average of automated scanning results for your owned assets combined with your questionnaire score. Automated scanning contributes 50% of the overall security rating, with the scored risks arising from questionnaires contributing the remaining 50%.

How UpGuard calculates security ratings for domains and IP addresses

The scoring system has three hierarchical levels: score penalties for individual findings, calculated scores for individual domains and IPs, and calculated scores for organizations. Each domain and IP is scanned, the findings for each asset are then used to calculate each asset's score, and then the scores for all of an organization's assets are algorithmically combined with a weighted mean based on the size of the organization.

Each finding belongs to one of ten categories that relate to a single security domain or threat actor behavior. Scores for each category are calculated based on the number of failures relative to the number of potential risks in that category. The overall score is calculated based on the total set of risks identified for that asset.

It's important to note that the overall score is calculated based on all the risks identified on an asset, not as a combination of the category scores. The percentages for each category listed below describe the distribution of penalties to give some sense of the relative weight of each category.

  • IP/domain Reputation (19%)

  • Website (19%)

  • Encryption (17%)

  • Vulnerability Management (13%)

  • Attack Surface (11%)

  • Network (8%)

  • Email (7%)

  • Data Leakage (3%)

  • DNS (2%)

  • Brand Reputation (1%)

The category's weight is based on the total number of risks in the category and the severity of the category's risks. If you have many open risks with high severities in a category, that category will receive more weight toward your organization's security rating. For example, while Network security is listed as 8%, many critical open ports will result in losing more than 8% of an asset's score, as this category will then be weighted more heavily.

Understanding your security rating

Your security rating includes both a numeric score out of 950 and a corresponding letter grade. These ratings are a strong indication of an organization's security posture, though we recommend drilling into the individual risks and vulnerabilities that are raised during our data collection process.

These ratings provide insight to your potential attack surface, helping you identify areas of improvement in your security protocols. Here is an overview of the ratings:

  • A — 801-950: Organization has a robust security posture and good attack surface management,

  • B — 601-800: Organization has basic security controls in place but could have large gaps in their security posture.

  • C — 401-600: Organization has poor security controls and has serious issues that need to be addressed.

  • D — 201-400: Organization has severe security issues that need to be addressed and should not process any sensitive data.

  • F — 0-200: Organization has not invested in basic security controls.

UpGuard's adherence to the Principles for Fair and Accurate Security Ratings

UpGuard adheres to the U.S. Chamber of Commerce's Principles for Fair and Accurate Security Ratings. Because the data UpGuard collects is dynamic and comes from many sources, we believe that these principles provide a strong foundation for our scoring approach.

  • Transparency: UpGuard believes in providing full and timely transparency to our customers and to any organization who wishes to understand their security posture. You can request your free security rating at any time and book a free trial to learn more about our platform.

  • Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors, and any organization who believes their security rating is outdated or otherwise not accurate.

  • Accuracy and Validation: UpGuard's security ratings are data-driven and based on independently verifiable and accessible information.

  • Model Governance: While the datasets and methodologies used to calculate UpGuard's security ratings will change to better reflect how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.

  • Independence: No commercial agreement or lack thereof enables an organization to improve their security rating without improving their security posture.

  • Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. We do not provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.

See also: