Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

How are Bitsight Security Ratings Calculated?

Ingrid

For each rated organization, we intelligently identify and classify behaviors emanating from that organization’s network assets, including communication with Command and Control Server (C&C or C2 Server), participation in a Distributed Denial-of-Service (DDoS) attack, malware distribution, network scanning, and email attacks. The machines participating in these behaviors are generally under the control of external adversaries. While these behaviors may not equate to data loss, each is evidence of a compromise. Evidence from sensors deployed across the globe is collected daily. Each individual security event is analyzed for confidence, severity, and duration, and then mapped to a specific organization.

In addition, we gather externally observable configuration information on rated organizations.

Example: We may include analysis of Sender Policy Framework (SPF) records, Secure Sockets Layer (SSL) implementation, and DomainKeys Identified Mail (DKIM) signatures. Failure to use best practices increases risk and therefore negatively impacts a company’s security rating.

We do not engage in any hacking or any intrusive network penetration testing. Our collected data is externally observed from various sources in the public internet. It is available to anyone who chooses to collect it and has the technological capabilities to do so.

Learn about Bitsight Security Ratings.

Data Collection & Calculation

Algorithm

Bitsight Security Ratings are calculated daily using a proprietary algorithm that examines two classes of externally observable data – configuration and security events. Security effectiveness is assessed across the following risk categories:

The ratings algorithm accounts for the following elements:

  • Number and Type(s) of Compromised Systems: Data is classified into risk vector types and factored into an organization‘s security rating accordingly.
  • Event Duration: Calculates the time between when the compromised system was first observed and when it was last seen.
  • Diligence Configurations: Shows steps an organization has taken to prevent attacks. Similar to Compromised Systems, data is classified into risk vector types and factored into an organization‘s security rating accordingly.

A company's security rating is the result of aggregating the information from all weighted risk vectors and normalizing it for that company (as outlined in the risk vectors overview).

Learn more about the rationale for rating thresholds and why security ratings may fluctuate.

Risk Category Weights

Risk categories are weighted as follows:

  • Compromised Systems = 27%
  • Diligence = 70.5%
  • User Behavior = 2.5%
  • Public Disclosures = Weighted only if they occur.
risk-category-weights.png

Letter Grades

Letter grades provide a quick way to understand how a company is performing in each risk type and also provides a meaningful way to compare risk type performance of one company to another.

Letter grades are directly correlated to how well a company is performing, relative to all companies in the Bitsight inventory. Below is a table that outlines how each grade correlates to their performance, relative to their company size.

Individual Company Reports provide greater precision than letter grades.

A
In the top 10% of companies.
B
In the top 30% of companies.
C
In the top 60% of companies.
D
In the bottom 40% of companies.
F
In the bottom 20% of companies.
N/A

This grade has no correlation with how a company is performing. If a letter grade is “N/A” (Not Available), it may be because:

  • The risk vector is “informational.”
  • The grade defaults to it, in the absence of findings.
  • The risk vector is going through an evaluation period before having an impact on the rating.

Finding Grades

The findings for select Diligence risk vectors are assigned a GOOD, FAIR, WARN, BAD, or NEUTRAL finding grade.

Finding grades are not applicable to the Patching Cadence and Domain Squatting risk vectors.

Finding grades are based on inherent risk and adherence to best practices. They contribute towards the letter grade of the risk vector.

GOOD

GOOD findings have low risk, indicating alignment with best practices. They have a significantly positive impact on the letter grade.

What should I do with my good findings?

Further action is not required.

FAIR

FAIR findings have light risk. They have a minor negative impact or no impact on the letter grade depending on the risk vector.

What should I do with my fair findings?

There is some opportunity to achieve best practices. Review the finding details.

The Desktop Software, Mobile Software, and Server Software risk vectors can be assigned a FAIR grade, but they have no impact on the rating.

WARN

WARN findings have moderate risk that indicate departure from best practices. They have a moderately negative impact on the letter grade.

What should I do with my warn findings?

Review the finding details.

BAD

BAD findings have significant risk and departure from best practices. They have a significantly negative impact on the letter grade.

What should I do with my bad findings?

Review the finding details.

NEUTRAL

NEUTRAL findings do not have a positive or negative indication of a company’s risk. Some configurations are always graded NEUTRAL.

What should I do with my neutral findings?

Further action is not required.

N/A
Finding grades are not applicable (N/A) to Compromised Systems and User Behavior.

Normalization

Large companies will typically have more findings than smaller companies. To ensure ratings are calculated in a way that doesn't unfairly penalize large companies, we normalize ratings based on the size of an organization. We compare organizations using employee count to account for size.

Frequently Asked Questions

Are all findings of a given company displayed?

For most companies, findings throughout the past 1 year are shown and a complete list can be obtained through the Bitsight API. Companies with over 10 million findings have a sampled view of their findings, meaning that not all of them are visible in the platform.

What do sharp changes in a rating mean?

Sudden drops in rating can occur due to publicly disclosed Security Incidents, an increase in Compromised Systems events, or poorly configured Diligence findings. Improvements in ratings are due to either many simultaneously resolved events or updates to Diligence findings. Any decreases of 10 points or greater are highlighted in a company‘s Overview page, next to its 1-year historical trend graph.

When is a security rating impacted?

The rating is updated daily using the previous day’s data.

It can take 24-48 hours for new findings to impact ratings after they are observed. This is the time it takes to collect the data and present it in the Bitsight platform. Findings are time stamped from when the data is available. This is typically the same day as when the finding was observed, but it might be recorded the next day.

Example: A finding is observed at 11:59 pm on March 1st. It may not be collected and recorded until 12:10 am on March 2nd. That finding will impact the rating on March 2nd and later.

The finding continues to impact the rating over a decay period, which varies by risk type. Refer to the lifetime, duration, and decay of the following findings:

Download the PDF:

Ratings Methodology (ver. 29-OCT-2024)

  • April 15, 2025: Identified risk vectors with impactful finding grades.
  • February 13, 2025: Recommendations for finding grades.
  • October 29, 2024: Findings for most companies are no longer sampled. All findings for monitored companies are visible in Bitsight.

Related articles

Feedback

0 comments

Please sign in to leave a comment.