Security Ratings

Security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.
Abstract shapeAbstract shape

How UpGuard Security Ratings Work

Learn how UpGuard security ratings work and why you should use them to monitor the security posture of your organization as well as your third-party vendors.
UpGuard vendor portfolio risk profile

Data Collection

  • UpGuard’s proprietary scanning infrastructure monitors & collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.
  • Our in-house security research team is constantly looking for new checks over time, which means we update our rating algorithm from time to time to better reflect what we consider to be a best-in-class security posture.

Rating Algorithm

UpGuard security questionnairesAbstract shape

Rating

  • Once collected or updated, all of our checks are  fed into our proprietary rating algorithm to produce a security rating out of 950 for all of an organization’s internet-facing web properties.
  • The rating algorithm is subtractive. Web properties start with a rating of 950 and have points subtracted for each check they fail. The number of points deducted is based on the severity and weight of the underlying risk.
  • To produce an organization's overall security rating, we calculate a Gaussian weighted average of all individual asset scores, where lower scores are given the most weight.
UpGuard vendor portfolio risk profile

Gaussian Weighted Mean

  • The Gaussian Weighted Mean approach to scoring reflects the reality that an organization's security is only as strong as its weakest link.
  • The aggregation method is a weighted mean that gives higher weights to scores at the bottom of the distribution based on the Gaussian kernel.
  • As shown in the illustration, the weight is the highest at the minimum score and declines gradually as the score increases; the maximum score receives almost zero weight.

Severity Classification

Severity
Description
Critical Risks
Risks or vulnerabilities that place the business at immediate risk of data breaches.
High Risks
Severe risks that should be addressed immediately to protect the business.
Medium Risks
Unnecessary security risks that can lead to more serious vulnerabilities.
Low Risks
Areas of improvement to reduce risk and improve the businesses’ cyber security rating.
UpGuard managed vendor

Why UpGuard security ratings?

  • Adhere to the Principles for Fair and Accurate Security Ratings
  • Quantitative measure of cyber risk
  • Dynamic indicator of an organization’s security posture
  • Show changes in ratings between any given time periods
  • Continuously monitor billions of data points across millions of companies
  • Incorporate risks from security questionnaires
  • Run on a non-intrusive security engine
  • Enables objective comparison of your cybersecurity performance against competitors
  • Facilitates clear communication and understanding of risk at the board and executive level

Identification and assessment of risks

  • The risks that comprise our ratings are based on industry best practices, standards, and frameworks such as OWASP, CVSS, ISO27001, and NIST CSF, and more
  • Severity and risk weightings are based on the complexity of exploits and their associated impact
UpGuard security questionnairesAbstract shape

Risk Categorization

  • There are a total of six categories in the current evaluation system, as shown.
  • Each category is associated with various checks that carry fixed weights/costs
  • If a website fails one of those checks, it will lose score for that category.

Understanding UpGuard Security Ratings

801-950
Absolute low risk for a data breach in the immediate future; organizations possess strong competencies in creating, adopting, and implementing strong security policies.
601-800
Low to medium risk of a data breach in the immediate future; organizations refer to best practice frameworks for security policies and dedicate financial and human resources to implement them, but they may be inconsistently applied across digital surfaces
401-600
Medium to high risk of a data breach in the immediate future; may have already been breached in the last year or are continuously compromised and are unaware
201-400
High risk of being breached in the immediate future or that this organization has already been breached
0-200
Organizations in this range will have multiple points of entry for breach. Any organization in any sector of business in this range does not dedicate close to the appropriate amount of resources to security.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape