How CSTAR Works

Last updated by UpGuard on September 11, 2018

With the rate of data breaches increasing, along with the risks associated with third-party suppliers, the cyber insurance industry has been experiencing significant growing pains. Cyber risk determination had historically been done with employee surveys or contextual information about industries at larger. Without reliable data on an organization’s actual working state, many insurers came to realize there was no way to formulate a fair and accurate cyber insurance policy, especially for more complex and ever-changing IT environments. The CSTAR score is a single, easy-to-understand value representing an organization's aptitude in the areas of compliance, integrity, and security. All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform.cstarimagev2.jpg


The compliance segment measures an organization's ability to maintain its systems in a resilient state. First, UpGuard scores test coverage; without testing, there is no way to know that a system is misconfigured. Users can increase their test coverage by writing custom policies or choosing from UpGuard's content library. The more test coverage, the better the compliance score. Second, UpGuard calculates the pass rate for those tests. A high compliance score means the organization does a good job ensuring their servers, cloud services, and network devices are configured correctly.


The integrity score measures an organization's ability to validate change. UpGuard documents every change within an auditable system of record, then looks at how many of those changes were found to be valid via testing. The distinction between compliance and integrity is worth noting. Compliance testing regards those items which change rarely if at all. Verifying the changes that do occur are good is another problem entirely, which we isolate in the integrity score.

The security score measures an organization's ability to detect and remediate vulnerabilities. UpGuard maintains an updated database of information about known software vulnerabilities from top security organizations around the world, and uses that information to determine which systems and software packages may be at risk. The number and severity of discovered vulnerabilities, along with the frequency of vulnerability scans, are used to calculate the overall security score of the system. Over time, as vulnerabilities are discovered and removed, the security score will also reflect an organization's time to patch.

Validation at Every Scale

The UpGuard platform enables a user to trace changes in the CSTAR score down to the smallest building blocks of information technology. Looking at the bird's eye view of the organization as a whole all the way down to every configuration setting within every file is the only way to make an informed assessment of an organization's preparedness. As effect of this is that minor misconfigurations-- and the real risk they pose to the business-- are surfaced immediately in their negative impact on the CSTAR score.


For every system there is some ideal configuration that combines operational efficacy and security hardening. Over time, that desired state changes as new security patches are required and new software features are released. Balancing change and stability is the mandate of digitally resilient businesses. CSTAR puts the essential measures of such a business-- compliance with regulatory and operational policies, integrity in change management, security against emerging and old threats-- in one place at the center of your business.

We make it easy to get started on the path to digital resilience-- contact our specialists to see how easy an UpGuard rollout can be and how simple it is to integrate UpGuard into your current workflows.

Protect my assets now