SecurityScorecard is used across healthcare, financial services, retail, and hospitality. It is also being adopted in the services industry, including by CPAs and legal firms.
MAX Managed Service
SecurityScorecardExternal reviews
98 reviews
from
and
External reviews are not included in the AWS star rating for the product.
Continuous vendor risk insight has improved cloud visibility but still needs fresher data
What is our primary use case?
What is most valuable?
SecurityScorecard continuously scans just about every IP address out there, which means there is information available about virtually every company. For third-party risk management, this tool allows me to obtain that information without having to build my own database from scratch using tools that do not provide this capability. The information is readily available and accessible. SecurityScorecard also provides substantial insight and detailed information specifically about how secure companies' cloud environments are, allowing for quick identification of issues with authentication or other areas.
There are both advantages and disadvantages to their approach. The continuous scanning of companies all the time ensures that there is always current information available about the third-party vendors and companies being monitored. However, the downside is that the information may be several days old, so it is not always current. Despite this limitation, using SecurityScorecard enabled us to obtain information about every one of our third parties that our clients are interested in monitoring.
My focus has been primarily on third-party risk. The automated alerts allow us to receive feedback as they update their information and when something comes up, which impacts the risk rating for each vendor or third party.
What needs improvement?
The ability to perform an automatic scan at any point in time to refresh information and provide the most current data would be helpful. Setting up automated scans on a schedule where information is more than a week old so that a forced automatic scan could be triggered for a particular company would be beneficial. This would ensure that current information is being used when monitoring different clients.
Overall, SecurityScorecard is a good product, and they need to continue developing it. There are challenges around third-party risk management. When providing risk management for your own company, it does everything you want it to do. However, for managing third parties, there are still some challenges, mainly because some aspects are out of their control since you do not have control over another company's risk or infrastructure and cannot dictate whether they are making changes. Overall, SecurityScorecard provides good information, but I am always looking for something that is more automated and would provide a better and more detailed picture of third-party risk profiles.
For how long have I used the solution?
I have used or evaluated SecurityScorecard on and off for the last eight years, and I have clients that leverage and use it on a regular basis. I would say I am certainly familiar with it over the last ten years, using it intermittently, so at least five years of consistent experience.
How are customer service and support?
I do not rate many software companies highly on the support side. I would give SecurityScorecard about a seven out of ten. They could improve in terms of response time and other areas, but they are not terrible.
How would you rate customer service and support?
Positive
How was the initial setup?
SecurityScorecard can be complex during setup, and I would recommend that anyone implementing it get help setting it up because it is not as straightforward as people might think. Getting third parties set up and configuring how you will do that and what you will search for can be complicated. Unfortunately, many clients today are looking for a button to push with everything being done for them automatically. I would recommend using third-party assistance in getting things set up the way you want.
What's my experience with pricing, setup cost, and licensing?
The setup cost is a little higher than some of the other products out there. However, SecurityScorecard has a lot of features, so they are fairly competitive.
Which other solutions did I evaluate?
Other than their dashboards, which have a lot of information and are set up quite nicely, SecurityScorecard provides granular and more detailed information than some other products, specifically regarding cloud capabilities. Much of the functionality you are starting to see in many products is being offered by SecurityScorecard. SecurityScorecard has been around longer than many of the other solutions, and they have many built-in capabilities that some other solutions are just starting to implement now.
What other advice do I have?
For remediation efforts, SecurityScorecard helps by identifying third-party suppliers where risk ratings are going up. Because I use it for third-party monitoring, we watch third parties and SecurityScorecard identifies when there is another potential risk that has affected their rating level. I can then alert my clients that they have a vendor that is potentially at risk, giving us the opportunity to react faster.
I am not a formal partner with the company yet, but we do conduct evaluations on behalf of our clients. I give SecurityScorecard a seven out of ten overall rating.
Continuous monitoring has strengthened our external posture and improved cyber insurance decisions
What is our primary use case?
My main use case for SecurityScorecard is that most of the time, the customer is looking for a solution which can provide all vulnerabilities and rate, security rate, and it also performs scanning of their domain, subdomain, and IP address. Customers can easily determine what weak passwords and policy configurations exist and can easily find out vulnerabilities.
A specific example of how a customer has used SecurityScorecard to solve a problem is that I have given SecurityScorecard to multiple customers, and they were looking to understand what vulnerabilities they have and what ratings they have.
I must add that SecurityScorecard continuously monitors the cybersecurity posture of the vendor, supplier, partner, SaaS platform, and others. Most of the time, the customer does not know what ports are open and whether they are exposed to vulnerabilities or weak SSL, TLS configuration, or malware signals, or misconfigured DNS. They also do not know whether their credentials are leaked. SecurityScorecard can help with this. For external attack surface monitoring, it is very useful.
What is most valuable?
The best features SecurityScorecard offers are cyber insurance underwriting and risk scoring, which I think are the best use cases, where the customer can easily reduce underwriting time and detect sudden posture changes.
Regarding how the risk scoring and cyber insurance features help my customers, they help detect sudden posture changes and evaluate the cyber hygiene of insured entities and price policies.
I would also add that it provides value for security posture management and executive reporting. It provides simple, visual, letter grade, and easy to explain metrics and score histories. Regarding the value it provides, it converts complex security issues into business-friendly language, which helps executives and the board understand cyber risk. It supports governance and risk metrics. Compliance support and auditing provide continuous monitoring, showcasing external posture over time, detecting misconfiguration that violates standards, and help with frameworks such as NIST 800 and ISO 27001, PCI DSS, HIPAA, DORA, and SOC 2.
SecurityScorecard has positively impacted my organization and my customers by providing numerous benefits. Customers easily obtain the score, which is a use case I value greatly. Customers can easily determine what ports are open and many other things so that they can secure their DNS, applications, and networks effectively.
My customers have seen measurable outcomes and specific improvements, as they have improved compliance and security with the help of SecurityScorecard.
What needs improvement?
SecurityScorecard can be improved. As it currently stands, it does a good job monitoring public-facing devices and the internet and DNS. If SecurityScorecard could also help their customers internally by developing their tool or feature so that customer devices that are not only public-facing can be monitored, it would be more beneficial.
For how long have I used the solution?
I have been using SecurityScorecard for the last five to six years.
What do I think about the stability of the solution?
SecurityScorecard is stable.
What do I think about the scalability of the solution?
The scalability of SecurityScorecard is fine, and there is no challenge with its scalability. As of now, I have not faced any issues with the scalability of SecurityScorecard.
How are customer service and support?
Customers are getting good support 24/7 from SecurityScorecard. I would rate the customer support for SecurityScorecard nine out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Previously, customers were sometimes using FireCompass and sometimes different tools, and some customers were net new, fresh customers using SecurityScorecard for the first time. The payback period of SecurityScorecard is less than six months from an ROI perspective. Sometimes the customer evaluates other options such as FireCompass before choosing SecurityScorecard.
How was the initial setup?
My experience with pricing, setup cost, and licensing is that pricing is acceptable as per the Indian market.
What about the implementation team?
As of now, the customer is happy, and I have not seen any complaints from the customer regarding purchasing SecurityScorecard.
What was our ROI?
When I talk about the return on investment with SecurityScorecard, the customer feedback shows that it is good from an ROI perspective. I have observed that the customer is getting 176% ROI over three years, and they are happy with it.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing is that pricing is acceptable as per the Indian market.
Which other solutions did I evaluate?
Sometimes the customer evaluates other options such as FireCompass before choosing SecurityScorecard.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Vendor risk monitoring has strengthened our security posture and reduced insurance costs
What is our primary use case?
My main use case for SecurityScorecard is for vendor risk identification, along with active threat intel on our organization.
A quick example of how I use SecurityScorecard for vendor risk identification is when we wanted to onboard a vendor for a vulnerability management tool. One additional step during our due diligence in terms of security and compliance was to verify the SecurityScorecard and BitSight scorecard rating. Based on that rating, we were able to make an informed decision that the vendor is from a security-first organization that prioritizes security, which gave them an upper hand during the competitive bidding. The highest rating was one of the metrics during our review process.
We also utilize SecurityScorecard for active threat intel, so any security issues detected by SecurityScorecard pertaining to our organization are kept at the utmost priority, and we invest considerable time in fixing those security issues.
How has it helped my organization?
Since we onboarded SecurityScorecard, our organization has been positively impacted by significantly improving our security maturity. We rely on the results from SecurityScorecard to determine what prioritizations to make, alongside promoting a security-first culture in terms of our vendors.
I have seen measurable changes since starting with SecurityScorecard. When we began, our security score was a B, and after prioritizing many security issues and promoting a security-first mindset, we eventually achieved an A rating.
What is most valuable?
The best features SecurityScorecard offers, in my experience, include the technical mitigation along with a detailed graph on what exactly the security issue is. I also appreciate the feature where the vendor's security score is being published.
I particularly value the Jira integration, so any issue identified as part of the threat intel activity can be directly updated through our Jira. I also appreciate the automation feature where I receive daily notifications whenever there is a change in our risk.
What needs improvement?
In terms of improvements, I feel SecurityScorecard could enhance some of the integrations based on AI platforms, where I could receive suggestions from the AI tool regarding why SecurityScorecard rates specific issues as critical or high. Details on the technical mitigation would help my non-technical teams understand the security issues better.
I think improvements could be made on the reporting side as well, such as the ability to download customizable reports. While SecurityScorecard offers various kinds of reports now, they are limited to predefined formats. Having the ability to choose specific fields for an automated report would be very helpful.
For how long have I used the solution?
I have been using SecurityScorecard for a little over three years.
What do I think about the stability of the solution?
I find SecurityScorecard stable for our organization, as I have not encountered any downtime. I also appreciate the browser extension feature that identifies the SecurityScorecard score for any organization.
What do I think about the scalability of the solution?
We did not track the scalability metrics for SecurityScorecard. Although we faced some challenges during the initial onboarding with our vendor, the support team helped streamline everything for a very smooth experience.
How are customer service and support?
I have interacted with the customer support team from SecurityScorecard, and they have been very helpful throughout the onboarding process and continue to assist us with bi-monthly sync-up calls whenever we face issues with the platform regarding risk and how to improve our security score.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use any other solutions before SecurityScorecard.
How was the initial setup?
SecurityScorecard is deployed in our organization using a hybrid cloud setup.
What was our ROI?
I have seen a return on investment, as we observed a significant improvement in our security scores. When we onboarded to SecurityScorecard, we were at a security score of B+, and based on the issues identified, we managed to move to A, resulting in a lower insurance premium cost for us and considerable cost savings overall, which made our management very pleased with the progress.
What's my experience with pricing, setup cost, and licensing?
Regarding my experience with pricing, setup cost, and licensing for SecurityScorecard, since it does not require active deployment on our side being a SaaS-first company, I expected slightly lower pricing. However, the sales insight was very helpful and contributed to a smooth onboarding process.
Which other solutions did I evaluate?
Before choosing SecurityScorecard, we evaluated BitSight Scorecard. SecurityScorecard offered better pricing and I found its UI excellent to use, so we decided to move to SecurityScorecard.
What other advice do I have?
My advice for others looking into using SecurityScorecard is that I truly appreciate the platform. It has been very helpful for our security journey, providing insights that enrich our vendor compliance processes, particularly during vendor onboarding where we review SecurityScorecard results for our vendors. I believe the platform is very beneficial for the company, and SecurityScorecard as a tool for vendor security management is essential for organizational development. I would rate this overall experience an 8 out of 10.
Cybersecurity Analyst
What do you like best about the product?
Support from team. I like the likelihoods reports to help us help our customers prepare for possible attacks.
What do you dislike about the product?
There is nothing I dislike about Security Scorecard.
What problems is the product solving and how is that benefiting you?
Security Scorecard is assisting me with ensuring I advise our customers of any possible vulnerabilities or breaches that could potentially impact their foot print.
The Gold Standard for Security Ratings
What do you like best about the product?
Its interface is deceptively simple with incredible functionality. I've rolled this out in three organizations, and EVERY time, it's found THE critical gaps (e.g.- expired SSL certificates). Daily use: it is my first dashboard check in the morning. PowerPoint Integration : Easily share insights with my leadership via PowerPoint.
What do you dislike about the product?
The very first setup had to do small adjustments not to score non-critical assets. It would help to have an onboarding wizard for this.
What problems is the product solving and how is that benefiting you?
It has also done away with self-assessment “security theater.” We are now trusted by our clients when it comes to rating and sales cycles within IT security has been reduced by 30%.
Industry Benchmarking at Its Best
What do you like best about the product?
It is very rare a platform can benchmark our security posture against our peers. It was extremely easy to implement and we were up and running in less than days. Completely game changing features like monitors for compromised credentials and DNS health checking. Proactive: Support will frequently suggest optimizations
What do you dislike about the product?
Sometimes scores will vary because of things like CDN outages which may cause unnecessary alerts. Another option would be a “pause monitoring” feature for maintenance windows.
What problems is the product solving and how is that benefiting you?
Our boardroom discussions have changed, and executives now hold leaders accountable when scores dip. The platform also allowed us to discover a cloud storage bucket misconfiguration before it could be exploited.
Objective Metrics for Security Posture
What do you like best about the product?
Since SecurityScorecard does not utilize any such data, the vendor ratings are impartial. The customers think of it as a no-brainer with one neutral benchmark. Understanding customer service & user-friendliness of platform (even for non-technical stakeholders).
What do you dislike about the product?
Ratings sometimes are unfairly strong about subjects a business cannot control (e.g. shared hosting providers) — More filters in data can be helpful
What problems is the product solving and how is that benefiting you?
It allows advisors to be more objective when discussing risk with clients by presenting hard data points on top of the perception. The audit process is faster, and the reliability and confidence of stakeholders are higher than they were prior to them.
External Vulnerability Management External Attack Surface
What do you like best about the product?
tHIS TOO IS A SIMPLE man when it comes to ease of use and an insane one for the depth. I rely on it daily for our public security posture and the MS Power BI integration (thru API's) allows simple dashboarding. This is another huge one, the amount of features dark web monitoring, IP reputation checks etc really does save us hours and hours compared to doing it all manually. Unmatchable customer service, every concern is catered in hours.
What do you dislike about the product?
The initial integration work was a bit hard because of some legacy systems we have here, but their team really helped us. The only issue is that it doesn't detect all the subdomains (so you must type them manually).
What problems is the product solving and how is that benefiting you?
It identified seen assets, but right now blind spots or new asset categories such as old test envs. It has greatly reduced our attack surface, and helps us out a lot in negotiations when it comes to cyber insurance.
Essential for Third-Party Risk Management
What do you like best about the product?
Connecting our score to the fullest third-party security risk exposure view One of the things that I found most amazing was just how much you can see about a vendors security posture and not get bogged down in the weeds of all the technical analysis. Streamline the risk categorization (DNS Health, Patching cadence etc) for better focus and correct prioritization of remediation efforts. We got help and updates so you can be timely.
What do you dislike about the product?
The issue is… as positive as those scores are, we do still occasionally see some false positives related to the baked-in risk of vendors with whom we have no leverage. Once we had dialed in some compliance settings to better meet our own Risk Profiles, it was fairly straightforward to set up. As such — if reporting can be made any more flexible (which would cover the last gap), it will already be extremely similar to how we segment workflow.
What problems is the product solving and how is that benefiting you?
For vendor risk assessments, the utility use 60% time savings over manual due diligence. Yet, to keep their defenses up they can set up automatic alerts for when ratings drop and address vulnerabilities head-on so changes are made before things become dire. It is already quite critical for the compliance reporting and C-Level Risk visibility.
Security Scorecard as TPRM
What do you like best about the product?
the security scorecard was Budget Friendly (Moderate Budget Friendly) , Dashboards were good , good correlation with CVE
What do you dislike about the product?
Not having any Customer support, Not doing Constant Scans , Real time scanning was not available,
What problems is the product solving and how is that benefiting you?
Security Card was doing very well in managing the Vendor Risks , So it benefiting us to understand that how much access or how we can have a controlled environment that our vendor risk does not affect security of our organization, Moreover the Security Card was monitoring the External attack surface of Our Organization but withstanding it was not much accurate still at one point of time it helps us to understand the Attack surface and According to Attack surface we were able to monitor our Outer facing environment, while working on the Security Scorecard it helps us understanding that this Vulnerability can impact how much to the score of the Organization and also in maintaining best score by giving remediation practices to us
showing 1 - 10