Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Ratings Algorithm Update – February 5, 2025

Ingrid

The 2025 Ratings Algorithm Update (RAU) is scheduled for July 2025. The Ratings Preview will begin on April 8, 2025.

Changes

Web Application Risk Vectors

Web Application Security will become rating impacting, replacing the 5% weight of Web Application Headers in the overall rating. No other risk vector weights will change at this time. The Web Application Headers risk vector will be available as an informational risk vector until it is eventually deprecated.

See the migration plan and adjustments to the possible finding grades and weights of assessments.

Time Period Decrease on Findings with Insufficient Data or No Data

If the only finding for a risk vector expires (no more data), that finding is currently used for up to 400 days past the finding expiration date. With RAU25, we are changing that time period to 340 days to ensure that those findings will always be visible to users.

Rating Drop Prevention

Rating drops for certain risk vectors are prevented if there are no negative findings.

Small possibilities that the scoring curve changes, creating rating drops in the absence of negative findings, are removed. This is so the risk vector grade cannot drop if there’s only positive finding grades (for TLS/SSL Certificates, TLS/SSL Configurations, and Open Ports).

Clarifying the Path to Perfect Risk Vector Grades

The relationship between the total number of findings and the risk vector grade is determined by a curve relative to the number of findings that other similar entities have. Companies that do not have negative findings are assigned a raw risk vector score depending on the total number of findings. This in turn corresponds with letter grade. The changes below are constrained to the raw score range equivalent to an A.

For the Open Ports, TLS/SSL Certificates, TLS/SSL Configurations, and Server Software risk vectors, the raw risk vector score will be explicitly linked to the number of findings:

  • <10 Findings = 800 Raw Risk Vector Score
  • Between ≥10 and <50 Findings = 810 Raw Risk Vector Score
  • Findings ≥50 = 820 Raw Risk Vector Score

This makes understanding how to achieve the best letter grade more straightforward.

Preparation

We will provide a Ratings Preview 90 days before the update.

Related articles

Feedback

0 comments

Please sign in to leave a comment.