Finding Behavior Marco M. The tables below summarize the logic behind each risk vector and its findings, including: weightage, weight, scan frequency, rescan frequency, lifetime, risk vector Risk vector weight Finding behavior Finding lifetime Insufficient data If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. Automated rescan length or the amount of time it takes a rescan to run on its own. User-requested rescan length or the amount of time it takes to complete a rescan upon request. TLS/SSL Configurations, Open Ports, and Server Software provide an Instant Reply when a rescan is requested. The rest of the supported risk vectors have a base duration for user-requested rescans. See the timeline for details. Links in the Risk Vector column navigate to a detailed description of how each risk vector is assessed. Diligence Risk Vectors - 70.5% Risk Vector Weight Finding Behavior Lifetime Insufficient Data Grade Automated Rescan User-Requested Rescan SPF Domains 1% Remediated Not Remediated 60 Days 2 Weeks 3 Days DKIM Records 1% Remediated Not Remediated 60 Days 30-50 Days 3 Days TLS/SSL Certificates 10% New Certificate New Observation Remediated Replacement findings are not applicable. 60 Days 30 Days Instant Reply TLS/SSL Configurations 15% The Asset Was Taken Offline Other Remediations Not Remediated 60 Days Instant Reply Open Ports 10% TCP Ports Remediated Not Remediated 60 Days 30 Days Instant Reply Web Application Security 5% Remediated Not Remediated 60 Days 30 Days Instant Reply Server Software 2% New Observation Remediated Replacement findings are not applicable. 60 Days 8 Days Instant Reply Insecure Systems 2.5% Without further activity, the finding stops updating. Its impact is removed after the lifetime. 60 Days Daily Not Available Patching Cadence 20% If the vulnerability is fixed, the finding is marked as remediated. Its impact on the risk vector grade and overall rating decreases starting 60 days after the Last Seen date of the last vulnerable finding and continues until the end of its lifetime (90 days). Patching Cadence findings have a positive impact if they are remediated faster or negative impact if they are remediated slower than the company’s mean time to remediate. It also depends on the vulnerability’s severity. 90 Days 30 days maximum. Not Available Desktop Software 3% If a new Browser/OS version is seen, a new finding is created. The previous version stops impacting if not seen until the end of the lifetime. 65 Days These risk vectors are not assessed using automated scans. Instead, our internal records are updated weekly based on data received from our partners. Learn how these risk vectors are observed. Not Applicable Mobile Software 1% 65 Days DNSSEC N/A Remediated Not Remediated 60 Days [No Impact] 2 Weeks 3 Days Mobile Application Security N/A New Observation Remediated Replacement findings are not applicable. 365 Days Up to 2 weeks after a new version is released. 11 Days Web Application Headers N/A Remediated Replacement Finding 60 Days 30 Days 3 Days DMARC N/A Remediated Not Remediated N/A 30 Days 3 Days Domain Squatting N/A Domain Squatting does not impact ratings. Existing domains are impacted weekly. New domains are impacted the next day. N/A 2 Weeks Not Available Compromised Systems Risk Vectors - 27% Risk Vector Weight Finding Behavior Lifetime Insufficient Data Grade Automated Rescan User-Requested Rescan Botnet Infections 27% If the activity is not seen for 3 days, the finding stops updating. Its impact linearly declines until the end of the lifetime. 180 Days Daily Not Available Spam Propagation Malware Servers Unsolicited Communications Potentially Exploited User Behavior Risk Vectors - 2.5% Risk Vector Weight Finding Behavior Lifetime (days) Insufficient Data Grade Automated Rescan User-Requested Rescan File Sharing 2.5% Each file represents a torrent shared through a unique IP. If the same IP downloads the same file at any further day, the Last Seen date updates. Different files and IPs result in separate findings. 60 Days Daily Not Available Exposed Credentials N/A N/A N/A July 10, 2025: 2025 Ratings Algorithm Update. June 25, 2025: Instant Reply; Rescan duration; Finding behavior for Diligence risk vectors listed by rescan statuses. September 5, 2024: The remediated finding behavior references the mean time to remediate. Related articles Finding Rescan: Asset Not Found and Assumed Remediated Attack Surface: Cloud Infrastructure Sync Requesting a Rescan Verifying That a Finding Is Remediated TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.