Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Finding Behavior

Marco M.

The tables below summarize the logic behind each risk vector and its findings, including:

weightage, weight, scan frequency, rescan frequency, lifetime, risk vector

  • Risk vector weight
  • Finding behavior
  • Finding lifetime
  • Insufficient data

    If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

  • Automated rescan length or the amount of time it takes a rescan to run on its own.
  • User-requested rescan length or the amount of time it takes to complete a rescan upon request.
    • TLS/SSL Configurations, Open Ports, and Server Software provide an Instant Reply when a rescan is requested.
    • The rest of the supported risk vectors have a base duration for user-requested rescans. See the timeline for details.

Links in the Risk Vector column navigate to a detailed description of how each risk vector is assessed.

Diligence Risk Vectors - 70.5%

Risk Vector Weight Finding Behavior Lifetime Insufficient Data Grade Automated Rescan User-Requested Rescan
SPF Domains 1% 60 Days grade-f.png 2 Weeks 3 Days
DKIM Records 1% 60 Days grade-c.png 30-50 Days 3 Days
TLS/SSL Certificates 10% 60 Days grade-c.png 30 Days Instant Reply
TLS/SSL Configurations 15% 60 Days grade-c.png Instant Reply
Open Ports 10% 60 Days grade-a.png 30 Days Instant Reply
Web Application Security 5% 60 Days grade-c.png 30 Days Instant Reply
Server Software 2% 60 Days grade-a.png 8 Days Instant Reply
Insecure Systems 2.5% Without further activity, the finding stops updating. Its impact is removed after the lifetime. 60 Days grade-a.png Daily Not Available
Patching Cadence 20%

If the vulnerability is fixed, the finding is marked as remediated. Its impact on the risk vector grade and overall rating decreases starting 60 days after the Last Seen date of the last vulnerable finding and continues until the end of its lifetime (90 days).

Patching Cadence findings have a positive impact if they are remediated faster or negative impact if they are remediated slower than the company’s mean time to remediate. It also depends on the vulnerability’s severity.

 90 Days grade-a.png 30 days maximum. Not Available
Desktop Software 3% If a new Browser/OS version is seen, a new finding is created. The previous version stops impacting if not seen until the end of the lifetime. 65 Days grade-na.png These risk vectors are not assessed using automated scans. Instead, our internal records are updated weekly based on data received from our partners. Learn how these risk vectors are observed. Not Applicable
Mobile Software 1% 65 Days
DNSSEC N/A 60 Days grade-c-no-impact.png [No Impact] 2 Weeks 3 Days
Mobile Application Security N/A 365 Days grade-na.png Up to 2 weeks after a new version is released. 11 Days
Web Application Headers N/A 60 Days grade-na.png 30 Days 3 Days
DMARC N/A N/A grade-na.png 30 Days 3 Days
Domain Squatting N/A

Domain Squatting does not impact ratings.

  • Existing domains are impacted weekly.
  • New domains are impacted the next day.
 N/A grade-na.png 2 Weeks Not Available

Compromised Systems Risk Vectors - 27%

Risk Vector Weight Finding Behavior Lifetime Insufficient Data Grade Automated Rescan User-Requested Rescan
Botnet Infections 27% If the activity is not seen for 3 days, the finding stops updating. Its impact linearly declines until the end of the lifetime. 180 Days grade-a.png Daily Not Available
Spam Propagation
Malware Servers
Unsolicited Communications
Potentially Exploited

User Behavior Risk Vectors - 2.5%

Risk Vector Weight Finding Behavior Lifetime (days) Insufficient Data Grade Automated Rescan User-Requested Rescan
File Sharing 2.5% Each file represents a torrent shared through a unique IP. If the same IP downloads the same file at any further day, the Last Seen date updates. Different files and IPs result in separate findings. 60 Days grade-a.png Daily Not Available
Exposed Credentials N/A N/A N/A grade-na.png
  • July 10, 2025: 2025 Ratings Algorithm Update.
  • June 25, 2025: Instant Reply; Rescan duration; Finding behavior for Diligence risk vectors listed by rescan statuses.
  • September 5, 2024: The remediated finding behavior references the mean time to remediate.
Was this article helpful?
11 out of 13 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.