Improving Your Security Score

This guide provides a prioritized, actionable roadmap for improving your ShadowMap Security Rating. Actions are organized by impact and effort — start with quick wins, then work through medium-term and ongoing improvements.

Start with Recommendations

The fastest path to score improvement is the Recommendations tab on your Security Rating page. Each recommendation shows:

Estimated Score Impact — how many points you'll gain
Severity — Critical, High, Medium, or Low
Affected Count — how many assets are impacted

Work through recommendations top-to-bottom. The highest-impact items are listed first.

Quick Wins (Days)

These actions typically take hours to days and can have immediate score impact on the next daily recalculation.

1. Renew Expiring SSL Certificates

Category affected: Encryption & Certificates (10% weight)

Expired or soon-to-expire certificates trigger a critical penalty (up to 30 points deducted from the category). Check SSL Certificates for any certificates expiring within 30 days and renew them.

2. Configure DMARC on Your Domains

Category affected: Email & DNS Security (10% weight)

If your primary domains lack DMARC enforcement, your Email & DNS Security score is significantly penalized. DMARC is scored on coverage — the percentage of your monitored domains that have DMARC records.

Start with p=none to monitor without blocking
Analyze DMARC reports for 2-4 weeks
Move to p=quarantine then p=reject

SPF and DKIM contribute 30 points each; DMARC contributes 40 points.

3. Close Unnecessary Open Ports

Category affected: Network Security (15% weight)

ShadowMap flags 23 high-risk ports including FTP (21), SSH (22), RDP (3389), SMB (445), SNMP (161), and database ports (3306, 5432, 1433, 27017). Any high-risk port with open alerts in the last month triggers a 30-point penalty.

Review open ports in Alerts and close any that don't have a business justification.

4. Action Existing Findings

All categories

Simply acknowledging and actioning findings improves your score. The Action Rate component awards:

50 points when 80%+ of findings are actioned
30 points when 50-79% are actioned
0 points when below 30% are actioned

Navigate to Alerts, review findings, and mark them as Investigating, Accepted Risk, or Resolved as appropriate.

Medium-Term (Weeks)

5. Patch Critical CVEs

Category affected: Vulnerability Management (20% weight — the highest)

Vulnerability Management is the single most impactful category. Unactioned critical CVEs trigger a 30-point critical penalty. Focus on:

CVEs in CISA's KEV catalog (confirmed exploited in the wild)
Critical-severity CVEs (10x multiplier in scoring)
High-severity CVEs (6x multiplier)

6. Remove Exposed Code Repositories

Category affected: Data Exposure (10% weight)

Leaked code with credentials, API keys, or internal URLs is a high-severity Data Exposure finding. Check Code Repositories and:

Revoke any exposed credentials immediately
Contact repository owners to remove sensitive content
Note: removing from current branch doesn't remove from git history

7. Request Takedowns for Phishing Sites

Category affected: Brand Protection (8% weight)

Active phishing sites impact your Brand Protection score. Navigate to Phishing & Impersonations and request takedowns for confirmed phishing sites.

8. Add Security Headers

Category affected: Application Security (12% weight)

Missing security headers are a common source of Application Security score penalties. Add these headers to your web applications:

Content-Security-Policy (CSP)
Strict-Transport-Security (HSTS)
X-Frame-Options
X-Content-Type-Options
Remove server version headers

Ongoing Practices

9. Force Password Resets for Breached Accounts

Category affected: Dark Web & Threat Intelligence (15% weight)

Each set of credentials found in breach databases or stealer logs affects your Dark Web score. When new breaches are detected:

Identify affected users
Force password resets
Enable MFA on affected accounts
Mark findings as actioned in ShadowMap

10. Connect Cloud Sources

Category affected: Multiple

Cloud Sources ensure ShadowMap has complete visibility into your cloud assets. Missing assets mean missing findings which can lead to sudden score drops when they're eventually discovered.

11. Set Up SLA Policies

All categories

SLA Policies drive accountability for finding response times. Consistently meeting SLAs demonstrates mature security operations and keeps your Action Rate high across all categories.

12. Monitor Score Changes Weekly

Check the History tab weekly to catch score drifts early. The score change attribution shows exactly which findings drove changes, so you can respond before issues compound.

Understanding Why Your Score Dropped

If your score dropped unexpectedly, investigate in this order:

Check the Scorecard tab — which category scores dropped?
Check Alerts — filter by "New" status and last 7 days to see recent findings
Check Dark Web — new breach data can cause sudden Dark Web score drops
Check SSL Certificates — a certificate that just expired will drop your Encryption score
Check the Recommendations tab — new recommendations will point to specific issues

How Scoring Works — Full methodology deep dive
Security Rating & Scorecard — Main security rating page
Benchmarking — Compare against peers

Improving Your Security Score ​

Start with Recommendations ​

Quick Wins (Days) ​

1. Renew Expiring SSL Certificates ​

2. Configure DMARC on Your Domains ​

3. Close Unnecessary Open Ports ​

4. Action Existing Findings ​

Medium-Term (Weeks) ​

5. Patch Critical CVEs ​

6. Remove Exposed Code Repositories ​

7. Request Takedowns for Phishing Sites ​

8. Add Security Headers ​

Ongoing Practices ​

9. Force Password Resets for Breached Accounts ​

10. Connect Cloud Sources ​

11. Set Up SLA Policies ​

12. Monitor Score Changes Weekly ​

Understanding Why Your Score Dropped ​

Related ​