Understand Your Security Rating

Common questions and answers about BitSight Security Ratings

Over 2,100 organizations are using BitSight Security Ratings to continuously monitor cyber risk in their business ecosystem. Using an approach similar to credit ratings for financial risk, BitSight customers are able to gain insight into the security posture of third parties as well as their own organization. BitSight Security Ratings are calculated on a scale of 250-900 with a higher rating indicating better security performance.


Did you get your BitSight Security Rating? 

BitSight Security Ratings Portal   BitSight Security Ratings Report   BitSight Security Ratings Snapshot Report



I was invited to the BitSight Portal

Great! BitSight grants you complimentary portal access to understand your BitSight Security Rating and investigate details behind it. If you have any questions about your rating details or would like a walkthrough of the ratings portal, please reach out to success@bitsight.comThe Customer Success team can also provide you with additional context around the invitation you received and answer any questions you may have. 

See how BitSight’s Enable Vendor Access feature allows customers to have data-driven, evidence-based conversations, making vendor risk management a more collaborative process.



I was sent a BitSight Report

You may have received a BitSight report from a company you work with. Your BitSight report includes your rating and details behind each risk vector in our platform. However, to get detail into specific security issues occurring within your organization’s digital footprint including IP addresses, you must access the BitSight platform.

All organizations have the right to access to BitSight platform to receive these details free of charge. To inquire about gaining access to the BitSight Security Rating Platform, please email EVA@bitsight.com.

Frequently Asked Questions

[fa icon="plus-square"] How was my security rating calculated?

BitSight uses externally observable data on compromised systems, security diligence, user behavior, and public disclosures to compute a company’s security rating. All companies—regardless if they are a customer or not—are rated on the same criteria. For more details, see “How BitSight Calculates Ratings.”

[fa icon="plus-square"] Who else can see my security rating?

All BitSight customers can subscribe to view the rating of any other company within their portfolio. However, forensics information, such as IP addresses affected, server name, and observed behavior are only disclosed to the organization itself or a third party with some sort of permission [and in compliance with our internal guidelines].

[fa icon="plus-square"] How does BitSight collect its data?
BitSight Security Ratings are based on hundreds of different data sources. Some sources are proprietary, some leverage partner relationships, and some are obtained through open source collection. In all cases, our data scientists and technical researchers carefully qualify, cross-check, and maintain each source. Each new candidate source undergoes rigorous evaluation prior to its incorporation into BitSight Security Ratings. The global threat and vulnerability landscape is always changing, so after we have incorporated a source into the BitSight Security Ratings, we constantly monitor it for accuracy. For more information, visit our Data page.
[fa icon="plus-square"] Our guest/public network is segmented. Why does my rating not account for that?

Any organization has the ability to tag portions of their networks and specify which of their IP addresses are reserved for guests, security research and testing, or other purposes. Tagging these portions of the network provides the relevant context should a security event occur. BitSight also enables organizations to create self-published ratings that reflect the security posture of particular parts of their networks.

If you’d like to do this, please reach out to support@bitsighttech.com.
[fa icon="plus-square"] Is this legal?

Yes, all the information we gather is from the public Internet; our product is non-intrusive and requires no agents or software to be deployed. The information is available to anyone who chooses to collect it. Moody’s, Dun & Bradstreet and others have set a market precedent for collecting data and presenting a score. Similar to these companies that have established industry standards, our ratings algorithm is based only on fully objective, verifiable and actionable data.

[fa icon="plus-square"] Can I dispute my security rating?

Absolutely, BitSight firmly believes in the transparency of its ratings for all organizations. In the event you believe there is a discrepancy with your rating, you can reach out to our customer support team. BitSight’s customer success team will review any records within your rating that you believe are incorrect. If ultimately necessary, rating disputes can be brought to the Office of the Ombudsman to ensure an unbiased and accurate resolution.

[fa icon="plus-square"] What do we need to do now?
A company (your own customer or someone in your supply chain) may be evaluating critical business decisions based off of your organization’s security posture. Organizations should address any issues found within their rating and take steps to improve their rating.
[fa icon="plus-square"] What can I do to improve my security rating?

Security ratings are a measurement of security performance based on historical data — over years — meaning they won’t necessarily change dramatically overnight. 

A company’s security rating includes a Remediation Strategy which highlights risk vectors that have had a high rating impact in the last 60 days. Organizations should start with items that have affected their rating the most. For context, organizations with ratings in BitSight’s advanced category (740-900) tend to: ensure security configurations are up to industry standards, continuously monitor their networks for compromised systems, and remediate issues as soon as they are discovered.

[fa icon="plus-square"] How does BitSight protect the independence and objectivity of its security ratings?
The management team, data scientists, and technical researchers at BitSight closely monitor the quality of the security ratings, free of influences or interferences such as a rated company’s financial performance, stock price, or other non-security related topics.
[fa icon="plus-square"] What if I receive a BitSight Security Rating? What happens next?
BitSight allows its customers to share Security Ratings directly with other organizations, providing a way for those organizations to analyze their security performance and view recommended remediation steps. BitSight does not charge those organizations to see their Security Ratings report. Customers can also provide their vendors access to the BitSight Platform, giving the vendor visibility into the Security Ratings information on their own company with additional forensics data.
[fa icon="plus-square"] What guidelines and procedures are in place to ensure the balance and accuracy of BitSight Security Ratings?

BitSight Security Ratings are subject to a rigorous review process by members of BitSight’s technical research team. This process is designed to surface any inconsistencies in the ratings methodology, data collection, and conclusions. Rating quality is based upon the accuracy of the risk vectors that comprise them. Security events, which make up 55% of a BitSight Security Rating, are especially important. Billions of new security events are observed around the globe on a daily basis, but many of these are simply noise or false positives. What really matters for security ratings is evidence of actual compromise, such as a botnet that has invaded your network and may be sending sensitive personally identifiable information (PII) to a command and control center. BitSight is able to detect evidence of actual attacks and measure information such as frequency, duration, and confidence. We do this through correlation and cross-checking against internally-developed sources, external vendors, and publicly accessible data. 

For BitSight to accept a security event, it must pass our event quality criteria based on different data factors. We have over 490 criteria and 160 factors; different checks are applied to different data, ensuring that unreliable data is filtered out and never makes it into a BitSight Security Rating. We thoroughly test and cross-check new data sources and risk vectors against existing data sources to ensure quality. We continually check the quality of existing data sources, which is why the number of quality criteria and factors is continuously increasing.

Mapping IPs to companies is a highly complex and dynamic challenge: IP addresses are continually sold, exchanged, or reallocated. Entirely automated processes very often misallocate IPs or miss entire IP blocks. As a result, IP mappings based on automated processes alone are highly unreliable. BitSight combines automated processes with human validation. We maintain teams of researchers who create and maintain maps of IP addresses of companies. To keep our error rate as low as possible, their IP allocations are cross-checked before they are incorporated into the BitSight Security Ratings.

[fa icon="plus-square"] Do BitSight investors or Board members have influence over an individual company’s security rating?
No. BitSight Security Ratings for individual companies are developed without the influence, review, or approval of our investors, shareholders, or Board of Directors.
[fa icon="plus-square"] Does a company need to be a BitSight customer to be included in BitSight Security Ratings?
The BitSight Platform includes security ratings for more than 200,000 companies, some of which are BitSight customers and some of which are not. BitSight Security Ratings are generated regardless of a company’s status as a BitSight customer. If you are not a BitSight customer, and you receive a BitSight Security Rating from a business partner, you can appeal your BitSight Security Rating as described above.
[fa icon="plus-square"] Is a company allowed to review BitSight’s Security Ratings prior to publication?
BitSight Security Ratings are impartial and are not influenced by individual organization reviews. They are produced daily through an automated process and not sent to rated companies for review. However, BitSight has a formal appeals process that can be used by both customers and non-customers if they are dissatisfied with any piece of analysis by BitSight. Companies usually send us documentation from Internet Service Providers indicating that a particular IP block is no longer in use by the company. In some instances, a company may hire a firm to audit their IP space. Documentation from these audits can also be used as part of the BitSight Security Rating appeal process.

See BitSight Security Ratings in action.

Learn how you can simplify your risk management and take charge of your cybersecurity with BitSight Security Ratings.

Request A Demo