BitSight and SecurityScorecard differ in their methodologies, but both are considered to be “real-time” to achieve continuous monitoring. BitSight collects data from various sources, including externally and publicly observable data points like indicators of compromise, user behavior, network sensor or sinkhole monitoring, and relationships with ISP providers.
BitSight formulates its ratings by gathering security information from billions of stored data points and events online, as described on their website. The data encompasses:
- Indicators of compromise
- Infected machines
- Configuration of cybersecurity controls
- Cyber hygiene practices
- Potentially harmful user behaviors
This data is applied to a company’s network footprint and then processed through an algorithm that evaluates the data based on severity, frequency, duration, and confidence indicators. The result is an overall rating of an organization’s security performance, measured along a cybersecurity risk rating scale ranging from 250 to 900, with higher scores indicating better cybersecurity performance.
SecurityScorecard, on the other hand, also gathers data from external sources but emphasizes publicly accessible information, focusing on factors like DNS health and patching cadence. SecurityScorecard can also directly scan organizations to help reduce the misattributions of IT asset ownerships to organizations.
SecurityScorecard evaluates an organization’s cybersecurity posture across across ten groups of risk factors, including DNS health, IP reputation, web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence, as described on their website.
They take into account all the external-facing discoverable assets of an organization, the issues associated with those assets, and the severity of the threats that were found in order to determine a score for each organization. The scores are graded and measured along a cybersecurity risk rating scale on an alpha scale of A-F.