How are Bitsight Security Ratings Calculated? Ingrid For each rated organization, we intelligently identify and classify behaviors emanating from that organization’s network assets, including communication with Command and Control Server (C&C or C2 Server), participation in a Distributed Denial-of-Service (DDoS) attack, malware distribution, network scanning, and email attacks. The machines participating in these behaviors are generally under the control of external adversaries. While these behaviors may not equate to data loss, each is evidence of a compromise. Evidence from sensors deployed across the globe is collected daily. Each individual security event is analyzed for confidence, severity, and duration, and then mapped to a specific organization.We also gather and analyze data for security issues with Internet communications (open ports, encryption settings, e-mail, etc.), software on endpoint devices and infrastructure (currency of versions, vulnerability remediation practices, etc.), as well as published applications (both web and mobile).In addition, we gather externally observable configuration information on rated organizations.Example: We may include analysis of Sender Policy Framework (SPF) records, Transport Security Layer / Secure Sockets Layer (TLS/SSL), and DomainKeys Identified Mail (DKIM) signatures. Failure to use best practices increases risk and therefore negatively impacts a company’s security rating.The following bullets are jump links to help you find information faster. Click any of the 5 options below to navigate directly to that content. Jump to:⬇️ Algorithm ⬇️ Risk Category Weights⬇️ Letter Grades⬇️ Finding Grades⬇️ NormalizationWe do not engage in any hacking or any intrusive network penetration testing. Our collected data is externally observed from various sources in the public internet. It is available to anyone who chooses to collect it and has the technological capabilities to do so.AlgorithmBitsight Security Ratings are calculated daily using a proprietary algorithm that examines two classes of externally observable data – configuration and security events. Security effectiveness is assessed across the following risk categories: Compromised Systems Diligence User Behavior Public Disclosures The ratings algorithm accounts for the following elements: Number and Type(s) of Compromised Systems: Data is classified into risk vector types and factored into an organization‘s security rating accordingly. Event Duration: Calculates the time between when the compromised system was first observed and when it was last seen. Diligence Configurations: Shows steps an organization has taken to prevent attacks. Similar to Compromised Systems, data is classified into risk vector types and factored into an organization‘s security rating accordingly. Security ratings are the results of the aggregation of all risk vector letter grades (with different weights) that are normalized for that company.Learn more about the rationale for rating thresholds and why security ratings may fluctuate.Risk Category WeightsRisk categories are weighted as follows: Compromised Systems = 27% Diligence = 70.5% User Behavior = 2.5% Public Disclosures = Weighted only if they occur. Letter GradesLetter grades provide a quick way to understand how a company is performing in each risk type and also provides a meaningful way to compare risk type performance of one company to another.Letter grades are directly correlated to how well a company is performing, relative to all companies in the Bitsight inventory. Below is a table that outlines how each grade correlates to their performance, relative to their company size.Individual Company Reports provide greater precision than letter grades. A In the top 10% of companies. B In the top 30% of companies. C In the top 60% of companies. D In the bottom 40% of companies. F In the bottom 20% of companies. N/A This grade has no correlation with how a company is performing. If a letter grade is “N/A” (Not Available), it may be because: The risk vector is “informational.” The grade defaults to it, in the absence of findings. The risk vector is going through an evaluation period before having an impact on the rating. Finding GradesDiligence findings are graded as GOOD, FAIR, WARN, BAD, or NEUTRAL based on inherent risk and if best practices can be improved upon. These finding grades contribute towards the letter grade of the risk vector. GOOD Low risk, aligned with best practices. These have a significantly positive impact on the letter grade. What should I do with my good findings? Further action is not required. FAIR Light risk and some opportunity to achieve best practices. These have a minor negative impact or no impact on the letter grade depending on the risk vector. What should I do with my fair findings? There is some opportunity to achieve best practices. Review the finding details. WARN Moderate risk and departure from best practices. These have a moderately negative impact on the letter grade. What should I do with my warn findings? Review the finding details. BAD Significant risk and departure from best practices. These have a significantly negative impact on the letter grade. What should I do with my bad findings? Review the finding details. NEUTRAL Observed data with neither positive nor negative risk. This does not positively or negatively impact the letter grade. What should I do with my neutral findings? Further action is not required. N/A Finding grades are not applicable (N/A) to Compromised Systems and User Behavior. NormalizationLarge companies will typically have more findings than smaller companies. To ensure ratings are calculated in a way that doesn't unfairly penalize large companies, we normalize ratings based on the size of an organization. We compare organizations using applicable notions of size -- e.g. employee count, magnitude of digital footprint, overall count of observations, etc. -- to quantify the attack surface.Frequently Asked QuestionsAre all findings of a given company displayed?For most companies, findings throughout the past 1 year are shown and a complete list can be obtained through the Bitsight API. Companies with over 10 million findings have a sampled view of their findings, meaning that not all of them are visible in the platform.What do sharp changes in a rating mean?Sudden drops in rating can occur due to publicly disclosed Security Incidents, an increase in Compromised Systems events, or poorly configured Diligence findings. Improvements in ratings are due to either many simultaneously resolved events or updates to Diligence findings. Any decreases of 10 points or greater are highlighted in a company‘s Overview page, next to its 1-year historical trend graph.When is a security rating impacted?Depending on the risk type, they continue to impact the rating over a decay period, or until Bitsight is able to confirm the risk is no longer present due to remediation or decommissioning of the associated asset(s).Please refer to the lifetime, duration, and decay of the following findings: The duration of Compromised System events The impact & lifetime of Diligence findings The lifetime of File Sharing events The severity & decay of Security Incident events Download the PDF: Ratings Methodology (ver. 05-JAN-2026) December 19, 2025: Updated language for clarity. September 5, 2025: Updated PDF. April 15, 2025: Identified risk vectors with impactful finding grades. February 13, 2025: Recommendations for finding grades. October 29, 2024: Findings for most companies are no longer sampled. All findings for monitored companies are visible in Bitsight. Related articles What is a Bitsight Security Rating? Finding Behavior TLS/SSL Finding Remediation & Remediation Verification Vulnerability Severity: Bitsight Severity & CVSS Marsh McLennan Study: Correlation Between Bitsight Analytics and Cybersecurity Incidents Feedback 0 comments Please sign in to leave a comment.