Security Ratings FAQ

Frequently asked questions about UpGuard security ratings.

Written by Caitlin Postal 

UpGuard provides data-driven security ratings to represent an organization's cybersecurity posture. Security ratings adjust dynamically in relation to quantitative assessment and continuous data collection. This article answers frequently asked questions about UpGuard's security ratings and data collection. If you have additional questions not answered here, please reach out to our Customer Success team.

UpGuard collects data using non-intrusive techniques to assess the security posture for a wide variety of organizations. We use threat signals gathered from trusted commercial, open-source, and proprietary sources, alongside risks identified in security questionnaires and risk assessments conducted on the UpGuard platform.

These threat signals are open and accessible from the public Internet, which means we only use non-intrusive techniques to gather information. We never attempt to bypass any security controls an organization has in place.

What are non-intrusive scanning techniques?

Non-intrusive or passive scanning techniques use standardized and publicly accessible network-based protocols to query hosts. In contrast, intrusive or active scans often attempt to compromise a system and thereby highlight security vulnerabilities.

Some attributes that can be scanned passively include the following:

  • Open ports: Applications communicate through network ports using available TCP ports. For example, standard web traffic uses port 80, while HTTPS traffic uses port 443. A common practice is to deny TCP ports that are not actively used.

  • SSL/TLS certificates: TLS certificates provide encryption keys that enable encrypted communications. A best practice is for public websites to transmit data with HTTPS and to ensure TLS certificates are current.

  • DNS records: Scanning a website's DNS records for public information can help assess possible security risks to an organization, such as email security controls and domain hijacking risk.

These three examples are non-intrusive, as the information is publicly accessible and there is no attempt to exploit the vulnerabilities found.

While we do send messages to servers to trigger a response, these messages never try to take advantage of misconfigurations or simulate attacks. We never actively send information to a server or act beyond the initial request.

What threats can be identified through non-intrusive scanning?

UpGuard monitors for a variety of threat signals, including the following:

How frequently does UpGuard scan websites?

UpGuard conducts daily scanning. When UpGuard scans a website, we collect data from a variety of sources. Most updates are reflected within 24 hours of the rescan, but certain data (such as specific vulnerabilities and some TLS attributes) may take a few days to update. Some risks will update immediately.

You can additionally rescan your owned assets at any time. When you explicitly request a scan (by pressing the Rescan button), our system will schedule a port scan and the results will be visible within a day.

What happens if UpGuard scans a website that is in maintenance mode?

If UpGuard scans a domain that is in maintenance mode, the results are likely to differ from the live website so the security rating and risks displayed within UpGuard for that day may change. UpGuard's security ratings are based on externally observable information, including open ports, TLS certificates, and DNS health, and the results of any security questionnaires.

If you believe that your assets were scanned during maintenance and you wish to update the information in our system, you can rescan your domain.

What happens if UpGuard scans a website that is unavailable?

If a scan occurs while a website is down and we receive no HTTP response, UpGuard will use the latest available information for the domain. If the data is deemed to be out of date, we will evaluate if there are any open ports or MX records and, if not, we classify the domain as inactive. UpGuard scans inactive domains on a less frequent basis as they are less likely to change.

For more information on inactive domains, read the article What's the difference between an active and inactive domain?

Why do some risks appear as informational?

Some risks cannot be automatically verified and are therefore categorized as informational. Informational risks do not impact the security rating. Risks that appear as informational are not scored because we are unable to verify that they pose a risk to the system. The domain owner is therefore responsible to verify that the risks are applicable to their assets. Common examples include vulnerabilities and open ports.

When we identify vulnerabilities, we use information exposed in HTTP headers, website content, and open ports. Many of the vulnerabilities we detect are based on a specific software version known to have vulnerabilities. UpGuard identifies that the service is present but cannot always identify which version is in use. The domain owner will need to determine if the vulnerabilities apply to their assets. As such, these vulnerabilities appear as informational and aren't scored. In contrast, other vulnerabilities may have a specific test that we run to confirm their existence and exploitability. Verified vulnerabilities are scored and do not appear as informational.

Some ports are open and listening, which means we can receive data back from the port, while other ports are merely open. When a port is open and listening, we are able to verify there is a service exposed and we can score the risk. In contrast, some ports are open but we were unable to detect a service listening on the port. These risks are not scored and are therefore informational.

What are provisional risks?

As part of the release process for new risks that affect your security rating, UpGuard first publishes them in a "provisional" state so that users can take action prior to the impact on your security rating. Provisional risks include "provisional" in the title so that you can easily filter exports to just these risks and take any remediating action prior to the risks being released to general acceptance.

When a risk is in its provisional period, you will be able to see it in the Risk Profile and on any affected Domains or IPs, as with other risks. Provisional risks include the severity and actual versus expected values detected on each asset. After the provisional period, these risks will be updated to include score impacts and otherwise appear and operate like other risks.

Customers are notified when provisional risks are added so that you can take action and examine how they will affect your profile. You will receive a second notification when those risks are updated to include score impacts. Any other particular information relating to the risks will also be communicated to customers through email.

How does UpGuard collect data for its security ratings?

UpGuard conducts extensive data collection and assess threat signals from trusted commercial, open-source, and proprietary sources, as well as risks identified through security questionnaires and risk assessments conducted within the UpGuard platform. Our scanning practices are non-intrusive, and we do not attempt any system compromise. For more information about our data collection practices, read the article How does UpGuard collect data for its security ratings?

What scoring system does UpGuard use for vulnerability severity?

UpGuard uses the Common Vulnerability Scoring System (CVSS) from the NIST National Vulnerability Database to assign the severity of vulnerabilities. To learn more about the CVSS system, read the article What scoring system does UpGuard use for vulnerability severity?

What services does UpGuard identify with port scanning?

UpGuard scans for open ports and non-standard ports and, once found, identifies the service running on that port. For more information about which services UpGuard identifies, read the article What services does UpGuard identify with port scanning?