.png)
What are Security Rating Services?
Security rating services score organizations based on externally observable signals. Learn how ratings work, what they miss, and when they are appropriate tools for vendor risk management.
How Security Ratings Work
Security rating platforms collect data about an organization's internet-facing infrastructure from external vantage points — without any cooperation from or credentials from the rated organization. They observe DNS configurations, SSL/TLS certificate validity and configuration, IP reputation based on observed malicious activity, open port exposure, software versions identifiable from banners, and email security configuration (SPF, DKIM, DMARC). This observable data is combined into a score — typically on a 0-1000 scale — that purports to represent the organization's security posture.
The major platforms are BitSight, SecurityScorecard, RiskRecon (Moody's), and Panorays. Each has proprietary weighting and scoring methodologies that produce different absolute scores for the same organization, which is why scores from different platforms are not directly comparable.
What Security Ratings Miss
Security ratings measure externally observable signals, not actual security posture. An organization with a high security rating may have excellent email security configuration and no exposed ports while having completely inadequate internal security controls — poor endpoint security, weak identity controls, no detection capability. The breach scenarios that matter most — ransomware initiated through phishing, insider threats, supply chain compromise — are invisible to external security rating systems because they do not involve observable internet-facing vulnerabilities.
Appropriate Uses for Security Ratings
Security ratings are valuable as a component of vendor and third-party risk management: monitoring whether critical vendors maintain minimum external security hygiene, tracking changes in vendor security ratings that might indicate security deterioration, and providing a consistent external baseline for large vendor populations where individual security assessments are not practical. They are also useful as a screening tool in M&A processes — not as a substitute for technical due diligence but as a consistent external baseline that identifies organizations with obvious external security failures that warrant closer investigation.
Real-World Example: High Rating, Major Breach
Multiple organizations that have suffered significant data breaches had security ratings in the top quartile of their industry at the time of their breach. The rating reflected external infrastructure hygiene — SSL configuration, email authentication, no exposed dangerous ports — while the breach occurred through phishing that compromised internal credentials, lateral movement that exploited internal network flatness, and data exfiltration through cloud services that external rating systems cannot observe. The cases illustrate why security ratings are useful inputs but not substitutes for comprehensive security assessment.
The letter grade range used by major security rating platforms — but organizations with identical letter grades can have dramatically different actual security postures depending on what the rating captured and what it missed.