The 2026 Ratings Algorithm Update: Strengthening Accuracy and Stability

Tags:

Blog-RAU-banner
Ariela Silberstein profile image
Written by Ariela Silberstein
Staff Product Manager

Each year, the threat environment changes, and the way we measure cyber risk has to keep up. Attackers adjust quickly. At the same time, organizations add cloud services, SaaS applications, and third parties to their environments. That makes it harder to maintain a stable, external measure of security performance.

At Bitsight, the Ratings Algorithm Update (RAU) is one of the major initiatives that helps keep the Bitsight Security Rating a reliable indicator of security performance. We make these calculation updates to preserve strong alignment with real-world outcomes, including security incidents and breaches.

In this post, we are sharing an early look at the 2026 Ratings Algorithm Update (RAU26) and what customers can expect before it goes into effect on July 16, 2026.

Why we update the ratings algorithm each year

Security practices and attacker behavior do not stand still. New technologies and attack paths all influence what “good” security performance looks like.

Bitsight’s annual Ratings Algorithm Update helps:

  • Better reflect evidence-based risk in ratings
  • Strengthen alignment between ratings and real-world risk
  • Add new signals that improve visibility into security performance
  • Incorporate customer feedback and relevant industry changes

Ultimately, our goal is simple: ensure the Bitsight Rating continues to provide actionable intelligence that helps organizations prioritize risk, communicate performance, and drive meaningful security improvements.

The 2026 update builds on that philosophy with several targeted changes designed to improve both accuracy and stability.

What’s changing in RAU26

This year’s update introduces three primary changes. Each reflects areas where we can better capture meaningful security behaviors and reduce noise in how risk is measured.

1. DMARC risk vector becomes rating-impacting

What’s changing

Domain-based Message Authentication, Reporting, and Conformance (DMARC) will now contribute to the Bitsight Rating with a 1% weight, reallocated from the Compromised Systems category.

This completes the trio of foundational email-based risk vectors measuring authentication controls: Sender Policy Framework (SPF) Domains, DomainKeys Identified Mail (DKIM) records, and DMARC.

DMARC grades are already visible within the Bitsight platform today, though prior to RAU26 they do not impact the overall Bitsight rating; DKIM and SPF both have a weight of 1%.

Organizations that implement DMARC policies will now see that investment reflected directly in their Bitsight Rating, which improves the fidelity of our email security signal. By measuring DMARC alongside SPF and DKIM, we strengthen the Rating’s ability to surface evidence-based protections against spoofing and phishing, giving security and risk teams a clearer, more actionable indicator to demonstrate improved email security posture.

2. Critical Vulnerability Management replaces Patching Cadence

What’s changing

The existing Patching Cadence risk vector will be replaced by Critical Vulnerability Management (CVM) at the same 20% weighting.

This update shifts the focus from how long vulnerabilities remain unpatched to how severe those vulnerabilities are and how quickly high-risk issues are addressed.

As part of this change:

  • CVSS scores used in this risk vector will be updated
  • CVSS updates will automatically apply when vulnerability scores change in the catalog
  • Historical observations will remain unchanged

Under CVM, organizations will see faster rating movement for newly observed, high-severity exposure and reduced sensitivity to long-running, low-severity issues — a change that better mirrors how modern vulnerability programs prioritize fixes. By emphasizing severity and exploitability, CVM preserves the Rating’s correlation with real-world outcomes, with a modest improvement, and gives teams a clearer, evidence-based signal to prioritize remediation where it will most reduce business risk.

3. Updated email risk vector defaults for organizations without domains

What’s changing

For entities that do not have associated domains, SPF and DKIM will now default to N/A and has no negative impact on the rating. Previously, these entities received default grades despite having no domains to evaluate. The current default grade for DMARC is currently N/A, which will remain in effect.

In the cases of entities with domains, default grades will remain unchanged:

  • SPF: F
  • DKIM: C
  • DMARC: N/A

This update removes potentially misleading grades for organizations without domains, ensuring ratings reflect only observable email authentication evidence, thus improving fairness and accuracy. In short, organizations will no longer be penalized for controls that cannot be meaningfully observed in the absence of domains, making the Rating a clearer and more defensible external indicator of security performance.

2026 updated algorithm preview
Preview Dashboard of RAU2026

RAU26 timeline

To ensure transparency and give organizations time to prepare, we are providing a three-month Preview window before the update goes live.

  • Preview period begins: April 16, 2026
  • Go-live date: July 16, 2026

During the Preview window, customers will be able to view the Ratings Algorithm Update Preview in the Bitsight platform that reflects the updated algorithm.

This allows teams to understand how the changes may affect their ratings and take action if needed before the official rollout.

What customers should do next

We encourage customers to use the Preview window proactively.

Here are a few recommended steps:

  1. Review your Preview Rating in the Bitsight portal
    This will show how RAU26 affects your organization under the updated algorithm.
     
  2. Evaluate DMARC implementation
    If DMARC policies are not yet deployed, consider implementing them to strengthen email security controls.
     
  3. Review vulnerability remediation priorities
    With Critical Vulnerability Management replacing patching cadence, prioritizing high-severity vulnerabilities will be even more important. This is visible prior to the RAU preview in the Risk Vector preview experience for first-party (SPM) users.
     
  4. Communicate changes to stakeholders
    Many organizations share their Bitsight Rating with vendors, partners, boards, and insurers. The Preview period is an opportunity to brief these stakeholders and ensure alignment.
     

Our commitment to transparency

We recognize that algorithm changes can raise questions. That’s why transparency and collaboration are central to every Ratings Algorithm Update.

Your feedback continues to shape how we evolve the platform, and RAU26 reflects many of the insights we’ve heard from customers across security, risk, and executive leadership teams.

By refining how we measure security performance, we aim to ensure that the Bitsight Rating remains a stable, trusted, and actionable benchmark as a core component of cyber risk intelligence.

If you have questions about RAU26, we encourage you to explore your Ratings Algorithm Update Preview in the platform and connect with your Bitsight customer success manager for additional guidance.

Together, we can continue strengthening the data and insights that help organizations manage cyber risk with confidence.