SecurityScorecard Reviews

SecurityScorecard performs deep analysis over the exposed view of data. It creates an external IT assessment of the company in terms of domain and vendor reports. Essentially, it scans the company's landscape, trying to find vulnerabilities and exposed data that may cause digital risks.

With SecurityScorecard, the most valuable feature is the ability to identify if third parties or vendors have digital threats that may impact our company. It also scans all internal domains and IPs to find vulnerabilities in the digital landscape. The continuous monitoring capabilities have been beneficial by providing ongoing assessments of potential risks.       

The pricing of the product needs improvement in Brazil.

I have been using SecurityScorecard for the past year.

As for stability, it's 99.99% stable.

The scalability of SecurityScorecard is really easy. If the user starts with twenty domains and needs to double, it's already in the platform one just needs to flag a button.

They work pretty fast and have full knowledge of the solution. Personally, I've never had a problem with them. Sometimes there's a little delay because they need to investigate further, but overall, I'm pleased with their support.

Positive

The initial setup of SecurityScorecard is very easy because it's a SaaS solution. Deployment time depends on the number of companies to be monitored; for fifteen to thirty companies, it might take two or three days, or up to a week.

The vendor helps users deploy the solution and set up functionalities, making it straightforward. Usually, three to four people are involved. The vendor assigns a Customer Success Manager to the end user, who acts as the focal point for support, new questions, and functionalities.

The best ROI with SecurityScorecard is when the end user identifies that their vendors or third parties have digital threats that need to be addressed promptly. Preventing digital threats and data leakage from vendors and partners is the best ROI. 

The pricing of SecurityScorecard is fair. I would rate it a seven. It's a bit more on the expensive side. In Brazil, for example, making a payment to the vendor involves wire transfers and high taxes, making it more expensive. Selling SecurityScorecard or any American vendor's product in the United States is very different from selling in South America or Brazil.

Overall I would rate the solution a nine out of ten. 

This tool is a platform for monitoring and assessing the security posture of organizations and also helps to improve the posture by recommendations

This tool is a platform for monitoring and assessing the security posture of organizations and also helps to improve the posture by recommendations

Security Ratings, Continuous Monitoring, & Benchmarking are most useful

SecurityScorecard's technical team's response time is an area that my company expects to be made faster. As per the tool's SLAs, three days is way too much time for a user to wait for a response.

SecurityScorecard is an online scanning tool. Apart from the web scanning feature, SecurityScorecard should be available for use on Android or iOS for app scanning purposes and then provide a status to the user.

From the perspective of a customer, I would always want the price of the solution to be on the cheaper side.

I have been using SecurityScorecard for more than two years.

Stability-wise, I rate the solution a nine out of ten.

Around three to four people in my company use the product.

My company has no plans to increase the use of the solution.

Apart from the delay in response time, I am happy with SecurityScorecard's technical team.

I rate the technical support an eight out of ten.

Positive

Long ago, my company used to use another solution.

I rate the product's initial setup phase a nine on a scale of one to ten, where one is a difficult setup phase, and ten is an easy setup process.

The solution is deployed on a multi-hybrid cloud.

The solution can be deployed in hardly two or three hours.

SecurityScorecard has improved our company's vendor risk assessment process since it basically gives us the comparison of the competitors and certain vulnerabilities which we can report from an external view or a third party view, giving us an improvement area to work on, which might we might not have focused a lot, or maybe it might be overlooked upon by us. SecurityScorecard helps our company get better scores. The tools help fix the vulnerabilities, which in turn improves scores, making it a valuable product for us.

A scenario where SecurityScorecard enabled better decision-making for IT projects includes an incident involving a couple of domain names that my company used to use in the past since sometimes we see that some applications were replicated. My company forgot to clean up the DNS names. Once my company gets to know from SecurityScorecard that our application has vulnerabilities, I may not have renewed the certificate considering that the application is no longer in use, owing to which our company might lose track of it, during which SecurityScorecard helps us to do the cleanup. There are many places where the right certificates are not installed, or maybe there is a small application vulnerability, which the tool can catch from the external view. This can be let known to our company since there is an action we take to fix such areas.

Our company operates in the online classified market.

The features of SecurityScorecard that are the most beneficial for security monitoring are the reports generated with the help of external audit and vulnerability assessment.

The platform's grading system helps prioritize our company's security concerns since it helps us in the area of scores and provides the competition score. The tool also provides recommendations to improve the scores, which is helpful.

In the identification of potential threats, SecurityScorecard helps our organization since it does black box analysis. With the black box analysis, the tool helps us in the area of external websites where we cannot do many things directly, after which the tool shares an unbiased status with our company.

SecurityScorecard's reporting capabilities support our company's compliance initiatives since it has a dashboard with credentials through which we can get the vulnerabilities reported. The product should provide an option so that it has the ability to fix the reported vulnerability at the same time that it is reported by allowing users to raise a ticket directly with SecurityScorecard's team. After the aforementioned steps are followed, SecurityScorecard can conduct a scanning process and add up the score, which basically gives me the complete trend by allowing me to say last month's trend versus the current month's trend or maybe the last scan versus the current month's scan.

I would tell those who plan to use the solution that it is a straightforward product to use.

I rate the product a nine out of ten.

We were asked by a customer to respond to issues raised on the platform regarding our security score. 

We are using the free offering at the moment. For something that was not part of our selection, I would like to have more features available. In that context, the paid subscription is pricey for an organization of our size.

As the approach is widely automated information gathering, there is a wide gap from free to paid which makes it hard for smaller organizations to get better security awareness. There is always the notion that a breach is expensive, however, that does not mean vendors can collect anything they like in terms of pricing. It has to be reasonable.

They freshly introduced Attack Surface Index where you can search for specific software in their database. The free tier got a bunch of requests for free to get a feel of the feature. It was very nice to snoop around to find out who has which vulnerability listed or how many vulnerable exchange boxes are out there in France still running on Exchange 2013. The feature went into paid tier after a period. 

With SecurityScorecard we gained more insight into our security footprint. The platform does very little to help with issues. Maybe that is for paid subscribers. Every so often, issues are re-surfacing and you have to re-explain everything. 

Don't get me wrong, although it is not very nice to have security issues (or symptoms of such) thrown at you, it is nicer than some ransom demand.

With its automated approach, nothing is missed on the IPs your organization is related to. Still, it is extra work. We use the findings as a todo-list whenever something pops up. 

In the past months, we had success at removing findings that are not our own like the Skype for business-IP hosted by Microsoft.

We had some findings regarding open ports after publishing systems on public IPs. We found out that way the firewall opens several ports for every public IP when enabled. Now we can disable these pro-active.

You can have notifications for changes in your score. It really helps to not have to come back every now and then to look score changes up.

I also like the report options in place. They could be more configurable but there will always be disagreement on reporting options.

You can also invite team members to help solve problems. 

It's good for a security solution. You can protect your logins with MFA.
We use the findings as a means to keep third parties up-to-date by forwarding reports to them so they can see we are able to track every vulnerability.

There could be more information in regards to solving problems like hints on what specifically to look for.

There should be the option to split responsibility for certain areas. This would be mandatory if we want to invite external consultants to look at things together. 

As mentioned above, the pricing for a paid subscription is too high for "just" a monitoring platform. 

They don't fix your issues. Instead, you have to come up with a good explanation of why things are the way they are. Small teams might not have the patience to re-submit closure of issues due to the fact that the explanation for the issue is not accepted.

We have been working with the service for over three years now.

We had no issues with stability so far. There is no high-volume traffic going on when using it. We discovered that login requires disabling the "no-tracking"-option in MS Edge Browser.

It's a web-based service. There should be no issue with scalability.

It's not the most responsive technical support so far. Most issues are not fixed in an hour. Users shouldn't expect confirmation to be there at that time. If you expect 1-3 days you are well-positioned with a no-fee service.

The response quite improved on most inquiries over the last year.

Positive

We did not previously use a different solution.

The initial setup is easy. You just log in with your work email. That's it.

I suspect that no one was tasked with security to onboard here. 
As their database already has all your public outings (IT-wise) there is nothing to set up, really. Just register and claim your tenant, invite your team and your set.

Don't forget to enable MFA!

There is no ROI for a free tier. We would need to provide an explanation about paid subscriptions for just a security ticket system in the cloud.

They already have set up for most organizations with their security footprint gathered from WHOIS, DNS, and other sources. Therefore, no setup cost would be reasonable. The pricing could be split into a lower-paid tier for smaller organizations and another higher tier for others with a more security-focused outlook. $1000 per month is more than some companies pay for their internet connections in total.
UPDATE: they have a new 400$ a month tier for starters.

They cover the complete IPv4 address space with their own sensor network.

They change their perspective on what actually impacts your score over time which you should be aware in order to get no surprises when your score drops suddenly. But that is a very transparent process with a heads-up on what to expect by the new scoring mechanism. Our score got dumped once and is now back on the same level. 
A lot of the findings are open for discussion (you can claim that is not a finding within good reason). They hear you out and some of the new scorings are in answer to customer requests (as I see it - could be mistaken though).

We were forced (or rather, invited) to use that solution by a customer.

Don't expect answers for closing issues right away. There are still people involved who re-check the issues for proper fixes and if your explanation for "that's no issue" is acceptable.

Resolve time improves if you state a link to sites that proof your changes like https://redirect-checker.org/ or https://httpstatus.io/.
Just like with AI, context enriches the issue for the one handling it, making it easier to speak of the same things, which is not always easy.

Look for integrations into other systems. Maybe you can tap into your XDR for Securityscorecard to get more data and have a better view of your exposure.

We use SecurityScorecard for reporting. 

The solution helps identify our environment's vulnerabilities. 

SecurityScorecard's most valuable feature is easy reporting. 

The tool needs to have the ability to mitigate vulnerabilities with alternative solutions. 

I have been working with the solution for three years. 

I rate SecurityScorecard's stability a seven out of ten. 

I rate the solution's scalability a seven out of ten. 

SecurityScorecard's deployment is easy. 

I have seen ROI with the tool's use but cannot quantify it. 

I rate the product a seven out of ten. 

SecurityScorecard is primarily used for supply chain risk management.

The product is included in our portfolio as we are a cybersecurity distributor.

The features customers are most interested in are third and fourth-party vendor analysis and questionnaires.

The product got onboarded a couple of months ago.

No one complained about the stability.

The ones that tried it liked it, although some wanted a different solution.

The initial setup takes just a couple of days and doesn't require any installation.

I'd rate the solution eight out of ten.