Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now

Security ratings

Security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.

Get your security rating
Get a demo

How UpGuard security ratings work

Learn how UpGuard security ratings work and why you should use them to monitor the security posture of your organization as well as your third-party vendors.

Data collection

  • UpGuard’s proprietary scanning infrastructure monitors & collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.
  • Our in-house security research team is constantly looking for new checks over time, which means we update our rating algorithm from time to time to better reflect what we consider to be a best-in-class security posture.

Rating algorithm

  • Once collected or updated, all of our checks are fed into our proprietary rating algorithm to produce a security rating out of 950 for all of an organization’s internet-facing web properties.
  • The rating algorithm is subtractive. Web properties start with a rating of 950 and have points subtracted for each check they fail. The number of points deducted is based on the severity and weight of the underlying risk.
  • To produce an organization's overall security rating, we calculate a Gaussian weighted average of all individual asset scores, where lower scores are given the most weight.

Gaussian Weighted Mean

  • The Gaussian Weighted Mean approach to scoring reflects the reality that an organization's security is only as strong as its weakest link.
  • The aggregation method is a weighted mean that gives higher weights to scores at the bottom of the distribution based on the Gaussian kernel.
  • As shown in the illustration, the weight is the highest at the minimum score and declines gradually as the score increases; the maximum score receives almost zero weight.

Severity Classification

Why UpGuard security ratings?

  • Adhere to the Principles for Fair and Accurate Security Ratings
  • Quantitative measure of cyber risk
  • Dynamic indicator of an organization’s security posture
  • Show changes in ratings between any given time periods
  • Continuously monitor billions of data points across millions of companies
  • Incorporate risks from security questionnaires
  • Run on a non-intrusive security engine
  • Enables objective comparison of your cybersecurity performance against competitors
  • Facilitates clear communication and understanding of risk at the board and executive level

Identification and assessment of risks

  • The risks that comprise our ratings are based on industry best practices, standards, and frameworks such as OWASP, CVSS, ISO27001, and NIST CSF, and more
  • Severity and risk weightings are based on the complexity of exploits and their associated impact

Risk Categorization

  • There are a total of ten categories in the current evaluation system, as shown.
  • Each category is associated with various checks that carry fixed weights/costs
  • If a website fails one of those checks, it will lose score for that category.

Understanding UpGuard Security Ratings

Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.

  • Instant insights you can act on immediately
  • Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities