How is the security rating calculated?

Each domain is continuously scanned across six signal categories — Network/TLS, DNS/Email, Application, Vulnerability Intelligence, Identity & Leaks, and Reputation. Findings are weighted by exploitability (KEV-aware), severity (CVSS v3.1), and business impact. The composite is normalised to a 0–100 score and mapped to a letter grade A+ through F across seven tiers.

Why a letter grade instead of just a number?

Letter grades create immediate, shareable understanding across non-technical stakeholders — boards, procurement, insurers, regulators. A 78 means little to a CFO; a B with the methodology behind it does. Both numeric score and grade are always shown.

Can a grade improve in real time?

Yes. Remediations are re-scanned within 15 minutes of detection, and the grade updates as soon as the fix is verified. Most B-to-A jumps happen within 7–14 days when teams act on prioritised findings.

Are the badges audited?

Every badge is signed by SecurityRating.com and includes a verifiable URL and last-issued timestamp. Badges automatically revoke if the underlying posture degrades, so they always reflect current truth — not a one-time certificate.

Can I show my grade or badges on my own website?

Yes. With the Transparency badge enabled, you can embed a live rating widget or link to your public posture page at securityrating.com/p/ . It updates automatically.

How does SecurityRating.com compare to BitSight or SecurityScorecard?

All three deliver continuous external ratings. SecurityRating.com differs by being self-serve (full rating in seconds, no sales call), fully transparent on methodology and per-finding remediation, and by publishing a public posture page that vendors and insurers can verify in one click.

[ 00 ] — Rating System

Grades &
badges, decoded.

One letter, seven tiers, and a verifiable badge system that turns continuous scanning into something a board, an underwriter, and a procurement team can all read at a glance.

A+A B+B C D F

[ 01 ] Grades [ 02 ] Methodology [ 03 ] Badges [ 04 ] FAQ

[ 01 ] — Grades

Seven tiers. One score.

Score · Posture · Action

01 / 07

A+95 – 100

Exemplary

Best-in-class security posture.

No critical exposures, no exploitable CVEs, full TLS 1.3 / HSTS / DNSSEC, zero leaked credentials, and a complete history of remediated findings. Reserved for the top decile of scanned organisations.

SecurityRating.comA+

Posture

Audit-ready · Insurance-preferred · Board-grade

02 / 07

A88 – 94

Strong

Mature, well-maintained perimeter.

Minor low-severity findings only. Patching cadence under 14 days, encryption everywhere, no known leaks. Trusted for enterprise procurement without further questionnaires.

SecurityRating.comA

Posture

Procurement-ready · Low residual risk

03 / 07

B+80 – 87

Good

Solid fundamentals, minor gaps.

Good coverage on encryption and headers with occasional medium issues. A few services exposed or TLS slightly behind best practice. Trusted for standard procurement with routine review.

SecurityRating.comB+

Posture

Standard approval · Bi-annual review

04 / 07

B70 – 79

Adequate

Acceptable, with addressable gaps.

Some medium-severity issues — outdated TLS suites, missing security headers, or one or two exposed services. Safe to do business with, but a remediation plan is expected.

SecurityRating.comB

Posture

Conditional approval · Quarterly review

05 / 07

C55 – 69

Caution

Material weaknesses present.

Multiple medium issues or one high-severity exposure (e.g. expired certificates, weak SPF/DMARC, public admin panels). Engage only with compensating controls and a clear 30-day remediation SLA.

SecurityRating.comC

Posture

Compensating controls required

06 / 07

D35 – 54

At Risk

Significant exploitable exposure.

High-severity CVEs, leaked credentials in the wild, or unauthenticated services exposed to the internet. Active risk of compromise — treat as a security incident, not a procurement decision.

SecurityRating.comD

Posture

Escalate to security · Block new data sharing

07 / 07

F0 – 34

Failing

Critical, likely already compromised.

Critical vulnerabilities, breach indicators, or evidence of active exploitation. Insurance carriers will decline; enterprise buyers will exit. Immediate, hands-on remediation required.

SecurityRating.comF

Posture

Do not transact · Notify stakeholders

[ 02 ] — Methodology

100+ signals.
Continuously weighted.

Every signal carries a base weight, an exploitability multiplier, and a recency decay — so a fresh, KEV-listed CVE moves your score more than a stale informational header.

Network & TLS

TLS version & cipher hygiene
Certificate chain & expiry
HSTS, OCSP stapling
Open ports & service banners

DNS & Email

SPF, DKIM, DMARC alignment
DNSSEC, CAA records
MX & MTA-STS posture
BIMI readiness

Application & Web

Security headers (CSP, XFO, COOP)
Cookie & session flags
Exposed admin paths & debug endpoints
Known CMS vulnerabilities

Vulnerability Intelligence

Live CVE matching with KEV weighting
Exploit-in-the-wild signals
Patch latency benchmarks
Software end-of-life detection

Identity & Leaks

Credential leaks (dark web, paste sites)
Exposed API keys & tokens
Breach exposure across employees
Typosquat & lookalike domains

Reputation

Blocklist & spam-trap status
Botnet / C2 infrastructure ties
Hosting neighbourhood risk
Historical incident telemetry

[ 03 ] — Badges

Earned, signed, verifiable.

Badges are not marketing decorations — each one is cryptographically signed, time-stamped, and auto-revokes if your posture slips. Embed them or link to your trust page.

Verified

Domain ownership confirmed and signed by SecurityRating.com.

How to earn

Complete domain verification (DNS TXT or HTTP file).

Continuously Monitored

Daily external scans across 100+ signals; drift alerts within 15 minutes.

How to earn

Active paid subscription with monitoring enabled.

Compliance-Ready

Mapped controls satisfy at least one major framework (SOC 2, ISO 27001, NIS2, NESA, PDPL).

How to earn

All control mappings for one framework pass for 30 consecutive days.

Top Decile

Sits in the top 10% of all rated organisations in its industry.

How to earn

Score and posture stability in the 90th percentile for 90 days.

Improving

Score has risen by 10+ points in the last 90 days.

How to earn

Continuous remediation with verified evidence of fixes.

Insurance-Preferred

Posture meets carrier underwriting criteria for preferred pricing.

How to earn

Grade A or above plus no high/critical findings for 60 days.

Zero-Leak

No leaked credentials, secrets, or PII detected across the dark web in 12 months.

How to earn

Clean dark-web intelligence sweep across all monitored identities.

Transparency

Public posture page published with current grade and last-scanned timestamp.

How to earn

Opt in to publish a securityrating.com/p/<your-domain> trust page.

Grades reflect externally observable posture only — the same surface an attacker sees. They do not assess internal controls, governance, or culture. Pair with our compliance modules for the full picture.

Quick Answers

Grades & badges — frequently asked questions

How is the security rating calculated?: Each domain is continuously scanned across six signal categories — Network/TLS, DNS/Email, Application, Vulnerability Intelligence, Identity & Leaks, and Reputation. Findings are weighted by exploitability (KEV-aware), severity (CVSS v3.1), and business impact. The composite is normalised to a 0–100 score and mapped to a letter grade A+ through F across seven tiers.
Why a letter grade instead of just a number?: Letter grades create immediate, shareable understanding across non-technical stakeholders — boards, procurement, insurers, regulators. A 78 means little to a CFO; a B with the methodology behind it does. Both numeric score and grade are always shown.
Can a grade improve in real time?: Yes. Remediations are re-scanned within 15 minutes of detection, and the grade updates as soon as the fix is verified. Most B-to-A jumps happen within 7–14 days when teams act on prioritised findings.
Are the badges audited?: Every badge is signed by SecurityRating.com and includes a verifiable URL and last-issued timestamp. Badges automatically revoke if the underlying posture degrades, so they always reflect current truth — not a one-time certificate.
Can I show my grade or badges on my own website?: Yes. With the Transparency badge enabled, you can embed a live rating widget or link to your public posture page at securityrating.com/p/<your-domain>. It updates automatically.
How does SecurityRating.com compare to BitSight or SecurityScorecard?: All three deliver continuous external ratings. SecurityRating.com differs by being self-serve (full rating in seconds, no sales call), fully transparent on methodology and per-finding remediation, and by publishing a public posture page that vendors and insurers can verify in one click.

See your grade in 60 seconds.

Run a free, non-intrusive scan of any domain. We return a letter grade, the signals behind it, and a prioritised remediation list — no signup, no credit card.

Run free scan Brand guidelines

Grades &badges, decoded.

Seven tiers. One score.

Best-in-class security posture.

Mature, well-maintained perimeter.

Solid fundamentals, minor gaps.

Acceptable, with addressable gaps.

Material weaknesses present.

Significant exploitable exposure.

Critical, likely already compromised.

100+ signals.Continuously weighted.

Earned, signed, verifiable.

Verified

Continuously Monitored

Compliance-Ready

Top Decile

Improving

Insurance-Preferred

Zero-Leak

Transparency

Grades & badges — frequently asked questions

See your grade in 60 seconds.

Grades &
badges, decoded.

100+ signals.
Continuously weighted.