How ShadowMap Security Ratings Work
ShadowMap's Security Rating gives your organization a score from 0 to 100 and a letter grade (A through F) based on your externally visible security posture. This page explains the methodology behind the rating — what we measure, how we score it, and why.
Scoring Philosophy
ShadowMap evaluates your organization the way an attacker would — from the outside. We scan your external digital footprint across 20+ data sources and score what we find across eight security categories. The rating reflects what is externally observable, not your internal security controls.
Three principles guide the scoring:
- Severity matters — A single critical vulnerability has far more impact than ten low-severity findings
- Recency matters — Recent findings weigh more heavily than old ones
- Weak links matter — A catastrophic failure in one category can't be masked by excellence in others
The Eight Categories
Your overall score is composed of eight category scores, each weighted by its importance as a predictor of security risk:
| Category | Weight | What It Measures |
|---|---|---|
| Vulnerability Management | 20% | Unpatched CVEs, known vulnerabilities in your exposed services |
| Dark Web & Threat Intelligence | 15% | Data breaches, stolen credentials, ransomware group mentions, dark web discussions |
| Network Security | 15% | Open ports on high-risk services (RDP, SMB, FTP, databases), network-level alerts |
| Application Security | 12% | Missing security headers (CSP, HSTS, X-Frame-Options), web application misconfigurations |
| Encryption & Certificates | 10% | SSL/TLS configuration, expired certificates, weak cipher suites, self-signed certificates |
| Email & DNS Security | 10% | SPF, DKIM, DMARC configuration coverage, DNS security issues |
| Data Exposure | 10% | Leaked code repositories, exposed S3 buckets, Docker registries, API keys, sensitive files |
| Brand Protection | 8% | Phishing sites, fake mobile applications, domain squatting |
Vulnerability Management carries the highest weight (20%) because unpatched vulnerabilities are the single strongest predictor of breach risk. Brand Protection carries the lowest (8%) — while important for reputation, it is less directly exploitable than technical vulnerabilities.
How Category Scores Are Calculated
Each category contains one or more sub-modules (for example, Data Exposure includes code repositories, S3 buckets, Docker containers, leaked APIs, and leaked files). Each sub-module is scored independently, then combined into the category score.
Sub-Module Scoring
Every sub-module score is built from two components, each worth up to 50 points:
Action Rate (0–50 points) — Are you addressing findings?
| Action Rate | Points |
|---|---|
| 80%+ of findings actioned | 50 (full credit) |
| 50–79% actioned | 30 |
| 30–49% actioned | 10 |
| Below 30% | 0 |
| No findings at all | 50 (perfect score) |
Growth Rate (0–50 points) — Are findings growing or shrinking?
| Monthly Findings as % of Annual | Points |
|---|---|
| ≤ 10% (stable or declining) | 50 |
| 11–30% (moderate growth) | 20 |
| 31–50% (high growth) | 10 |
| > 50% (uncontrolled growth) | 0 |
Sub-module score = Action Rate + Growth Rate (0–100)
Severity Weighting
Not all findings are equal. Before counting, findings are weighted by severity:
| Severity | Multiplier | Impact |
|---|---|---|
| Critical | 10x | A single critical finding counts as much as 10 low findings |
| High | 6x | |
| Medium | 3x | |
| Low | 1x | Baseline |
This means one critical CVE has a much larger impact on your score than a dozen low-severity misconfigurations.
Recency Decay
Recent findings have more impact than older ones. ShadowMap applies time-based weighting:
| Time Bucket | Weight | Rationale |
|---|---|---|
| Last 30 days | 100% | Current, active risk |
| 1–3 months ago | 70% | Recent but potentially aging |
| 3–6 months ago | 40% | Declining relevance |
| 6–12 months ago | 15% | Historical context |
The deduction follows a logarithmic curve — your first few findings cause the biggest score drop, with diminishing impact as findings accumulate. This reflects reality: going from 0 to 3 critical findings is a much bigger risk change than going from 50 to 53.
Critical Penalties
Some findings trigger an immediate score penalty regardless of the standard formula:
- Any unactioned critical CVE in Vulnerability Management → 30-point deduction
- Any critical SSL issue (expired cert, broken chain) → 30-point deduction
- High-risk file exposures (
.env,.sql, credentials) in the last month → 30-point deduction
These penalties ensure that the most dangerous exposures always surface in the score.
Combining Sub-Modules: Geometric Mean
When a category has multiple sub-modules, they are combined using a weighted geometric mean rather than a simple average.
Why geometric mean? It prevents strong sub-modules from masking catastrophic failures:
| Scenario | Arithmetic Mean | Geometric Mean |
|---|---|---|
| Scores: [100, 100, 100, 10] | 77.5 (B grade) | 56.2 (F grade) |
| Scores: [90, 90, 90, 90] | 90 (A grade) | 90 (A grade) |
| Scores: [100, 80, 60, 40] | 70 (C grade) | 65.6 (D grade) |
With arithmetic mean, a company could score a B grade while having one area in critical failure. The geometric mean ensures that one catastrophically weak area pulls the overall category score down — which accurately reflects how attackers exploit the weakest link.
Overall Score Calculation
Your final score is the weighted sum of all eight category scores:
Overall Score = Σ (Category Score × Category Weight)For example:
| Category | Score | Weight | Contribution |
|---|---|---|---|
| Vulnerability Management | 85 | 20% | 17.0 |
| Dark Web & Threat Intelligence | 70 | 15% | 10.5 |
| Network Security | 90 | 15% | 13.5 |
| Application Security | 75 | 12% | 9.0 |
| Encryption & Certificates | 95 | 10% | 9.5 |
| Email & DNS Security | 60 | 10% | 6.0 |
| Data Exposure | 80 | 10% | 8.0 |
| Brand Protection | 100 | 8% | 8.0 |
| Overall | 81.5 → 82 (B) |
Grade Scale
| Grade | Score | Interpretation |
|---|---|---|
| A | 90–100 | Excellent security posture. Minimal externally visible risk. |
| B | 80–89 | Good posture. Some improvements recommended but no critical gaps. |
| C | 70–79 | Fair posture. Meaningful gaps exist that should be addressed. |
| D | 60–69 | Poor posture. Significant risks requiring urgent attention. |
| F | 0–59 | Critical. Severe, unacceptable risk exposure. |
How Often Scores Update
Security ratings are recalculated daily. The score you see reflects data from the most recent calculation cycle. In the ShadowMap UI, the date of the latest rating is shown next to your score.
When new scan data arrives (vulnerability scans, dark web monitoring, certificate checks), it flows into the next daily calculation. Score changes are tracked with attribution — you can see which specific changes drove your score up or down on the History tab.
Data Sources
ShadowMap aggregates data from 20+ upstream scanning and intelligence systems:
| Data Domain | Sources |
|---|---|
| Vulnerabilities | CVE database, vulnerability scanners |
| Network | Port scanners, service detection |
| Web Applications | Security header analysis, web crawling |
| SSL/TLS | Certificate transparency logs, SSL scanners |
| Email/DNS | DNS record analysis, SPF/DKIM/DMARC validation |
| Dark Web | Breach databases, stealer log repositories, forum monitoring, Telegram channels |
| Data Exposure | GitHub/GitLab scanning, S3 enumeration, Docker registry scanning, file leak detection |
| Brand | App store monitoring, phishing detection, domain registration monitoring |
Methodology Transparency
We believe security ratings should be explainable. If your score changes, you should be able to understand why. ShadowMap provides:
- Score change attribution on the History tab — see exactly which category and findings drove changes
- Recommendations ranked by estimated score impact — know which actions will improve your score the most
- Category breakdowns showing individual sub-module scores
- Risk indicator dots (High/Medium/Low) on each category card
Related
- Security Rating & Scorecard — Main security rating page
- Improving Your Score — Actionable guide to raising your grade
- Benchmarking — Compare against peers