Security ratings provide a useful litmus for an organization's security posture and the effectiveness of their security policies as applied to their systems. These security ratings can augment existing assessment practices such as compliance questionnaires, on-site visits, and security testing.
UpGuard can calculate a security rating for any organization with a public internet presence. UpGuard's security ratings range from 0 to 950. The higher the rating, the more effective the organization's security practices.
UpGuard's scoring algorithm
UpGuard’s proprietary scanning infrastructure monitors and collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand to evaluate the external security posture for your internet-facing assets. These security ratings remain up-to-date as our data collection and analysis is conducted daily.
UpGuard calculates a security rating out of 950 through this data collection and analytical algorithmic scoring. The scoring algorithm is subtractive, so assets begin with a complete score of 950 and then decrease as they fail cybersecurity review for specific threat signals. Deductions are weighted by the severity of the risk (critical, high, medium, low).
Your security rating is a weighted average of automated scanning results for your owned assets combined with your questionnaire score (if applicable). Automated scanning contributes 50% of the overall security rating, with the scored risks arising from questionnaires contributing the remaining 50%.
How UpGuard calculates security ratings for domains and IP addresses
The security rating for your owned assets (domains and IP addresses) is calculated through many individual checks that are identified among five categories. Each category has a weight appropriate to its impact on your organization's overall security posture:
43% for Website Security
26% for Network Security
13% for Brand & Reputation Risk
9% for Phishing & Malware Risk
9% for Email Security
The category's weight is based on the total number of risks in the category and the severity of the category's risks. If you have many open risks with high severities in a category, that category will receive more weight toward your organization's security rating.
Understanding your security rating
Your security rating includes both a numeric score out of 950 and a corresponding letter grade. These ratings are a strong indication of an organization's security posture, though we recommend drilling into the individual risks and vulnerabilities that are raised during our data collection process.
These ratings provide insight to your potential attack surface, helping you identify areas of improvement in your security protocols. Here is an overview of the ratings:
A — 801-950: Organization has a robust security posture and good attack surface management,
B — 601-800: Organization has basic security controls in place but could have large gaps in their security posture.
C — 401-600: Organization has poor security controls and has serious issues that need to be addressed.
D — 201-400: Organization has severe security issues that need to be addressed and should not process any sensitive data.
F — 0-200: Organization has not invested in basic security controls.
UpGuard's adherence to the Principles for Fair and Accurate Security Ratings
UpGuard adheres to the U.S. Chamber of Commerce's Principles for Fair and Accurate Security Ratings. Because the data UpGuard collects is dynamic and comes from many sources, we believe that these principles provide a strong foundation for our scoring approach.
Transparency: UpGuard believes in providing full and timely transparency to our customers and to any organization who wishes to understand their security posture. You can request your free security rating at any time and book a free trial to learn more about our platform.
Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors, and any organization who believes their security rating is outdated or otherwise not accurate.
Accuracy and Validation: UpGuard's security ratings are data-driven and based on independently verifiable and accessible information.
Model Governance: While the datasets and methodologies used to calculate UpGuard's security ratings will change to better reflect how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
Independence: No commercial agreement or lack thereof enables an organization to improve their security rating without improving their security posture.
Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. We do not provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.