Security Ratings

Security ratings are a data-driven, objective, and dynamic measurement of an organization's security posture.

How UpGuard Security Ratings Work

Learn how UpGuard security ratings work and why you should use them to monitor the security posture of your organization as well as your third-party vendors.
UpGuard vendor portfolio risk profile

Data Collection

  • UpGuard’s proprietary scanning infrastructure monitors & collects billions of data points daily through trusted commercial, open-source, and proprietary methods. Our focus is on non-invasive, passive data collection, which can be uniquely performed at scale and on-demand.
  • Our in-house security research team is constantly looking for new checks over time, which means we update our rating algorithm from time to time to better reflect what we consider to be a best-in-class security posture.

Rating Algorithm

UpGuard security questionnaires

Rating

  • Once collected or updated, all of our checks are  fed into our proprietary rating algorithm to produce a security rating out of 950 for all of an organization’s internet-facing web properties.
  • The rating algorithm is subtractive. Web properties start with a rating of 950 and have points subtracted for each check they fail. The number of points deducted is based on the severity and weight of the underlying risk.
  • To produce an organization's overall security rating, we calculate a Gaussian weighted average of all individual asset scores, where lower scores are given the most weight.
UpGuard vendor portfolio risk profile

Gaussian Weighted Mean

  • The Gaussian Weighted Mean approach to scoring reflects the reality that an organization's security is only as strong as its weakest link.
  • The aggregation method is a weighted mean that gives higher weights to scores at the bottom of the distribution based on the Gaussian kernel.
  • As shown in the illustration, the weight is the highest at the minimum score and declines gradually as the score increases; the maximum score receives almost zero weight.

Severity Classification

Severity
Description
Critical Risks
Risks or vulnerabilities that place the business at immediate risk of data breaches.
High Risks
Severe risks that should be addressed immediately to protect the business.
Medium Risks
Unnecessary security risks that can lead to more serious vulnerabilities.
Low Risks
Areas of improvement to reduce risk and improve the businesses’ cyber security rating.
UpGuard managed vendor

Why UpGuard security ratings?

  • Adhere to the Principles for Fair and Accurate Security Ratings
  • Quantitative measure of cyber risk
  • Dynamic indicator of an organization’s security posture
  • Show changes in ratings between any given time periods
  • Continuously monitor billions of data points across millions of companies
  • Incorporate risks from security questionnaires
  • Run on a non-intrusive security engine
  • Enables objective comparison of your cybersecurity performance against competitors
  • Facilitates clear communication and understanding of risk at the board and executive level

Identification and assessment of risks

  • The risks that comprise our ratings are based on industry best practices, standards, and frameworks such as OWASP, CVSS, ISO27001, and NIST CSF, and more
  • Severity and risk weightings are based on the complexity of exploits and their associated impact

Risk Categorization

  • There are a total of ten categories in the current evaluation system, as shown.
  • Each category is associated with various checks that carry fixed weights/costs
  • If a website fails one of those checks, it will lose score for that category.

Understanding UpGuard Security Ratings

801-950
Organization has a robust security posture and good attack surface management.
601-800
Organization has basic security controls in place but could have large gaps in their security posture.
401-600
Organization has poor security controls and has serious issues that need to be addressed.
201-400
Organization has severe security issues that need to be addressed and should not process any sensitive data.
0-200
Organization has not invested in basic security controls.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating