How UpGuard Security Ratings Work
Learn how UpGuard security ratings work and why you should use them to monitor the security posture of your organization as well as your third-party vendors.
Data Collection
- UpGuard’s proprietary scanning infrastructure monitors & collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.
- Our in-house security research team is constantly looking for new checks over time, which means we update our rating algorithm from time to time to better reflect what we consider to be a best-in-class security posture.
Rating Algorithm
Rating
- Once collected or updated, all of our checks are fed into our proprietary rating algorithm to produce a security rating out of 950 for all of an organization’s internet-facing web properties.
- The rating algorithm is subtractive. Web properties start with a rating of 950 and have points subtracted for each check they fail. The number of points deducted is based on the severity and weight of the underlying risk.
- To produce an organization's overall security rating, we calculate a Gaussian weighted average of all individual asset scores, where lower scores are given the most weight.
Gaussian Weighted Mean
- The Gaussian Weighted Mean approach to scoring reflects the reality that an organization's security is only as strong as its weakest link.
- The aggregation method is a weighted mean that gives higher weights to scores at the bottom of the distribution based on the Gaussian kernel.
- As shown in the illustration, the weight is the highest at the minimum score and declines gradually as the score increases; the maximum score receives almost zero weight.
Severity Classification
Severity
Description
Critical Risks
Risks or vulnerabilities that place the business at immediate risk of data breaches.
High Risks
Severe risks that should be addressed immediately to protect the business.
Medium Risks
Unnecessary security risks that can lead to more serious vulnerabilities.
Low Risks
Areas of improvement to reduce risk and improve the businesses’ cyber security rating.
Why UpGuard security ratings?
- Adhere to the Principles for Fair and Accurate Security Ratings
- Quantitative measure of cyber risk
- Dynamic indicator of an organization’s security posture
- Show changes in ratings between any given time periods
- Continuously monitor billions of data points across millions of companies
- Incorporate risks from security questionnaires
- Run on a non-intrusive security engine
- Enables objective comparison of your cybersecurity performance against competitors
- Facilitates clear communication and understanding of risk at the board and executive level
Identification and assessment of risks
- The risks that comprise our ratings are based on industry best practices, standards, and frameworks such as OWASP, CVSS, ISO27001, and NIST CSF, and more
- Severity and risk weightings are based on the complexity of exploits and their associated impact
Risk Categorization
- There are a total of six categories in the current evaluation system, as shown.
- Each category is associated with various checks that carry fixed weights/costs
- If a website fails one of those checks, it will lose score for that category.
Understanding UpGuard Security Ratings
Organization has a robust security posture and good attack surface management.
Organization has basic security controls in place but could have large gaps in their security posture.
Organization has poor security controls and has serious issues that need to be addressed.
Organization has severe security issues that need to be addressed and should not process any sensitive data.
Organization has not invested in basic security controls.
Free instant security score
How secure is your organization?
