Learn how UpGuard security ratings work and why you should use them to monitor the security posture of your organization as well as your third-party vendors.
UpGuard’s proprietary scanning infrastructure monitors & collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.
Our in-house security research team is constantly looking for new checks over time, which means we update our rating algorithm from time to time to better reflect what we consider to be a best-in-class security posture.
Once collected or updated, all of our checks are fed into our proprietary rating algorithm to produce a security rating out of 950 for all of an organization’s internet-facing web properties.
The rating algorithm is subtractive. Web properties start with a rating of 950 and have points subtracted for each check they fail. The number of points deducted is based on the severity and weight of the underlying risk.
To produce an organization's overall security rating, we calculate a Gaussian weighted average of all individual asset scores, where lower scores are given the most weight.
Gaussian Weighted Mean
The Gaussian Weighted Mean approach to scoring reflects the reality that an organization's security is only as strong as its weakest link.
The aggregation method is a weighted mean that gives higher weights to scores at the bottom of the distribution based on the Gaussian kernel.
As shown in the illustration, the weight is the highest at the minimum score and declines gradually as the score increases; the maximum score receives almost zero weight.
Risks or vulnerabilities that place the business at immediate risk of data breaches.
Severe risks that should be addressed immediately to protect the business.
Unnecessary security risks that can lead to more serious vulnerabilities.
Areas of improvement to reduce risk and improve the businesses’ cyber security rating.
Dynamic indicator of an organization’s security posture
Show changes in ratings between any given time periods
Continuously monitor billions of data points across millions of companies
Incorporate risks from security questionnaires
Run on a non-intrusive security engine
Enables objective comparison of your cybersecurity performance against competitors
Facilitates clear communication and understanding of risk at the board and executive level
Identification and assessment of risks
The risks that comprise our ratings are based on industry best practices, standards, and frameworks such as OWASP, CVSS, ISO27001, and NIST CSF, and more
Severity and risk weightings are based on the complexity of exploits and their associated impact
There are a total of six categories in the current evaluation system, as shown.
Each category is associated with various checks that carry fixed weights/costs
If a website fails one of those checks, it will lose score for that category.
Understanding UpGuard Security Ratings
Absolute low risk for a data breach in the immediate future; organizations possess strong competencies in creating, adopting, and implementing strong security policies.
Low to medium risk of a data breach in the immediate future; organizations refer to best practice frameworks for security policies and dedicate financial and human resources to implement them, but they may be inconsistently applied across digital surfaces
Medium to high risk of a data breach in the immediate future; may have already been breached in the last year or are continuously compromised and are unaware
High risk of being breached in the immediate future or that this organization has already been breached
Organizations in this range will have multiple points of entry for breach. Any organization in any sector of business in this range does not dedicate close to the appropriate amount of resources to security.
Free instant security score
How secure is your organization?
Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
Instant insights you can act on immediately
Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities