SecurityScorecard Reviews

My main use case for SecurityScorecard is for vendor risk identification, along with active threat intel on our organization.

A quick example of how I use SecurityScorecard for vendor risk identification is when we wanted to onboard a vendor for a vulnerability management tool. One additional step during our due diligence in terms of security and compliance was to verify the SecurityScorecard and BitSight scorecard rating. Based on that rating, we were able to make an informed decision that the vendor is from a security-first organization that prioritizes security, which gave them an upper hand during the competitive bidding. The highest rating was one of the metrics during our review process.

We also utilize SecurityScorecard for active threat intel, so any security issues detected by SecurityScorecard pertaining to our organization are kept at the utmost priority, and we invest considerable time in fixing those security issues.

Since we onboarded SecurityScorecard, our organization has been positively impacted by significantly improving our security maturity. We rely on the results from SecurityScorecard to determine what prioritizations to make, alongside promoting a security-first culture in terms of our vendors.

I have seen measurable changes since starting with SecurityScorecard. When we began, our security score was a B, and after prioritizing many security issues and promoting a security-first mindset, we eventually achieved an A rating.

The best features SecurityScorecard offers, in my experience, include the technical mitigation along with a detailed graph on what exactly the security issue is. I also appreciate the feature where the vendor's security score is being published.

I particularly value the Jira integration, so any issue identified as part of the threat intel activity can be directly updated through our Jira. I also appreciate the automation feature where I receive daily notifications whenever there is a change in our risk.

In terms of improvements, I feel SecurityScorecard could enhance some of the integrations based on AI platforms, where I could receive suggestions from the AI tool regarding why SecurityScorecard rates specific issues as critical or high. Details on the technical mitigation would help my non-technical teams understand the security issues better.

I think improvements could be made on the reporting side as well, such as the ability to download customizable reports. While SecurityScorecard offers various kinds of reports now, they are limited to predefined formats. Having the ability to choose specific fields for an automated report would be very helpful.

I have been using SecurityScorecard for a little over three years.

I find SecurityScorecard stable for our organization, as I have not encountered any downtime. I also appreciate the browser extension feature that identifies the SecurityScorecard score for any organization.

We did not track the scalability metrics for SecurityScorecard. Although we faced some challenges during the initial onboarding with our vendor, the support team helped streamline everything for a very smooth experience.

I have interacted with the customer support team from SecurityScorecard, and they have been very helpful throughout the onboarding process and continue to assist us with bi-monthly sync-up calls whenever we face issues with the platform regarding risk and how to improve our security score.

We did not previously use any other solutions before SecurityScorecard.

SecurityScorecard is deployed in our organization using a hybrid cloud setup.

I have seen a return on investment, as we observed a significant improvement in our security scores. When we onboarded to SecurityScorecard, we were at a security score of B+, and based on the issues identified, we managed to move to A, resulting in a lower insurance premium cost for us and considerable cost savings overall, which made our management very pleased with the progress.

Regarding my experience with pricing, setup cost, and licensing for SecurityScorecard, since it does not require active deployment on our side being a SaaS-first company, I expected slightly lower pricing. However, the sales insight was very helpful and contributed to a smooth onboarding process.

Before choosing SecurityScorecard, we evaluated BitSight Scorecard. SecurityScorecard offered better pricing and I found its UI excellent to use, so we decided to move to SecurityScorecard.

My advice for others looking into using SecurityScorecard is that I truly appreciate the platform. It has been very helpful for our security journey, providing insights that enrich our vendor compliance processes, particularly during vendor onboarding where we review SecurityScorecard results for our vendors. I believe the platform is very beneficial for the company, and SecurityScorecard as a tool for vendor security management is essential for organizational development. I would rate this overall experience an 8 out of 10.

There are both advantages and disadvantages to their approach. The continuous scanning of companies all the time ensures that there is always current information available about the third-party vendors and companies being monitored. However, the downside is that the information may be several days old, so it is not always current. Despite this limitation, using SecurityScorecard enabled us to obtain information about every one of our third parties that our clients are interested in monitoring.

My focus has been primarily on third-party risk. The automated alerts allow us to receive feedback as they update their information and when something comes up, which impacts the risk rating for each vendor or third party.

Overall, SecurityScorecard is a good product, and they need to continue developing it. There are challenges around third-party risk management. When providing risk management for your own company, it does everything you want it to do. However, for managing third parties, there are still some challenges, mainly because some aspects are out of their control since you do not have control over another company's risk or infrastructure and cannot dictate whether they are making changes. Overall, SecurityScorecard provides good information, but I am always looking for something that is more automated and would provide a better and more detailed picture of third-party risk profiles.

Positive

I am not a formal partner with the company yet, but we do conduct evaluations on behalf of our clients. I give SecurityScorecard a seven out of ten overall rating.

My main use case for SecurityScorecard is monitoring vulnerabilities that are affecting our domain.

The best features SecurityScorecard offers for me are mainly being able to properly position my organization's security posture because of the score that is provided. I am able to know if we are doing well by assigning the quality or assigning the security posture to a score. It helps put things into perspective for me and I am able to know to what extent a vulnerability exists and the level of threat and the level of information breach each vulnerability is associated with.

The score helps me to inform leadership where we truly are at with regards to our security posture as an organization. It is also able to help me prioritize which vulnerabilities to remediate, which is more important, and which one needs immediate attention. It also helps me paint the best picture of our security position to management.

SecurityScorecard helps my organization know how well we are performing with regards to our security posture, and we are able to close security gaps when they are raised in SecurityScorecard.

I realized that because my company was acquired by a bigger organization, SecurityScorecard started associating other portfolio company vulnerabilities to our score, which was not helpful because it was giving us wrong data and giving us vulnerabilities we did not have. When you dive deep, you realize that the vulnerabilities are not associated with our domain. If SecurityScorecard could improve anything, it would be making sure the algorithm pulls the right data for the right domain.

I have been using SecurityScorecard for two years.

SecurityScorecard is stable in my experience.

Customer support is timely. Anytime I have had to dispute anything with regards to our score or the vulnerabilities being highlighted on our domain, they address it within seventy-two hours and change or update the score.

A typical workflow includes logging into SecurityScorecard, seeing which vulnerabilities have been flagged with regards to my domain, and then working with the engineers to have those vulnerabilities mitigated. After that, I upload the evidence into SecurityScorecard so that it can be taken off our score.

One of the benefits I have realized while using SecurityScorecard was that there was a vulnerability with our website and with the insights we got from SecurityScorecard, we were able to take a better decision of building a custom website instead of going with the template we had at the time.

Initially, SecurityScorecard monitoring was being managed by my CISO. However, with the simplicity of the dashboard and the information and the data in SecurityScorecard, he was able to easily hand it over to me, who did not have any prior experience, and I was able to quickly get the hang of things. He did not have to supervise or step in again and he was able to totally hand it over to me.

If you want a simple dashboard that is easy to understand and lets you know the vulnerabilities affecting your domain, SecurityScorecard is a good product for that. I would rate this product eight out of ten.

My main use case for SecurityScorecard is to qualify the surface and the domain of the company, and to detect vulnerabilities or assess the protection made by my client.

I provide quick visibility into the vendor's external security posture to my clients. Another situation could be highlighting specific risk areas instead of just a general score. Additionally, I support data-driven conversations with stakeholders and vendors.

SecurityScorecard helps us identify potential vulnerabilities early, reduce third-party risk, and make more informed security decisions without relying only on questionnaires or self-reporting information.

SecurityScorecard positively helps us quickly assess vendor risks and understand an organization's external security posture without spending a lot of time on manual reviews. In particular, it helps us identify security gaps early, prioritize follow-up actions, and have more informed conversations with vendors and internal stakeholders.

In terms of measurable positives regarding risk reduction, we were able to identify high-risk vendors earlier, and we complete assessments thirteen or fourteen percent faster since we rely less on lengthy questionnaires and manual evidence collection.

SecurityScorecard could be improved with more detailed remediation guidance, better customization of scoring, and stronger integration with GRC and vendor management tools.

It could also use better reporting and alert customization as well as a more intuitive user interface.

I have been using SecurityScorecard for six months.

In my experience, SecurityScorecard is stable and operates faster without issues of downtime or reliability.

My experience with SecurityScorecard is that it is highly scalable and can handle more vendors or users as my organization grows.

We have support, and whenever I need it, my colleagues and I find that the support team is quick and responsive, helping to resolve any questions.

Positive

I previously used Azure or another solution called Socradar before switching to SecurityScorecard.

My experience with the pricing has been positive because the platform is robust and user-friendly, and the setup was straightforward. Regarding licensing, my organization has a limitation on the number of domains or vendors we can integrate, but it depends on the type of license that I have.

We have seen a clear return on investment, and in terms of the metrics, the time saver is in the reduction of time spent.

Before choosing SecurityScorecard, we evaluated other vendors such as Azure and Socradar, but we chose SecurityScorecard for the pricing.

My advice would be to take full advantage of the continuous monitoring and vendor insights, explore the dashboards and alerts early, and understand the license limits, specifically regarding the number of domains or vendors you can track or add in the dashboard for monitoring.

We are a partner with SecurityScorecard.

I think the interview could improve by involving discussions on how to assess other companies with risks in different areas.

I would appreciate a short poem or haiku that summarizes this review. I have provided a review rating of eight out of ten.

My main use case for SecurityScorecard is that most of the time, the customer is looking for a solution which can provide all vulnerabilities and rate, security rate, and it also performs scanning of their domain, subdomain, and IP address. Customers can easily determine what weak passwords and policy configurations exist and can easily find out vulnerabilities.

A specific example of how a customer has used SecurityScorecard to solve a problem is that I have given SecurityScorecard to multiple customers, and they were looking to understand what vulnerabilities they have and what ratings they have.

I must add that SecurityScorecard continuously monitors the cybersecurity posture of the vendor, supplier, partner, SaaS platform, and others. Most of the time, the customer does not know what ports are open and whether they are exposed to vulnerabilities or weak SSL, TLS configuration, or malware signals, or misconfigured DNS. They also do not know whether their credentials are leaked. SecurityScorecard can help with this. For external attack surface monitoring, it is very useful.

The best features SecurityScorecard offers are cyber insurance underwriting and risk scoring, which I think are the best use cases, where the customer can easily reduce underwriting time and detect sudden posture changes.

Regarding how the risk scoring and cyber insurance features help my customers, they help detect sudden posture changes and evaluate the cyber hygiene of insured entities and price policies.

I would also add that it provides value for security posture management and executive reporting. It provides simple, visual, letter grade, and easy to explain metrics and score histories. Regarding the value it provides, it converts complex security issues into business-friendly language, which helps executives and the board understand cyber risk. It supports governance and risk metrics. Compliance support and auditing provide continuous monitoring, showcasing external posture over time, detecting misconfiguration that violates standards, and help with frameworks such as NIST 800 and ISO 27001, PCI DSS, HIPAA, DORA, and SOC 2.

SecurityScorecard has positively impacted my organization and my customers by providing numerous benefits. Customers easily obtain the score, which is a use case I value greatly. Customers can easily determine what ports are open and many other things so that they can secure their DNS, applications, and networks effectively.

My customers have seen measurable outcomes and specific improvements, as they have improved compliance and security with the help of SecurityScorecard.

SecurityScorecard can be improved. As it currently stands, it does a good job monitoring public-facing devices and the internet and DNS. If SecurityScorecard could also help their customers internally by developing their tool or feature so that customer devices that are not only public-facing can be monitored, it would be more beneficial.

I have been using SecurityScorecard for the last five to six years.

SecurityScorecard is stable.

The scalability of SecurityScorecard is fine, and there is no challenge with its scalability. As of now, I have not faced any issues with the scalability of SecurityScorecard.

Customers are getting good support 24/7 from SecurityScorecard. I would rate the customer support for SecurityScorecard nine out of 10.

Positive

Previously, customers were sometimes using FireCompass and sometimes different tools, and some customers were net new, fresh customers using SecurityScorecard for the first time. The payback period of SecurityScorecard is less than six months from an ROI perspective. Sometimes the customer evaluates other options such as FireCompass before choosing SecurityScorecard.

My experience with pricing, setup cost, and licensing is that pricing is acceptable as per the Indian market.

As of now, the customer is happy, and I have not seen any complaints from the customer regarding purchasing SecurityScorecard.

When I talk about the return on investment with SecurityScorecard, the customer feedback shows that it is good from an ROI perspective. I have observed that the customer is getting 176% ROI over three years, and they are happy with it.

My experience with pricing, setup cost, and licensing is that pricing is acceptable as per the Indian market.

Sometimes the customer evaluates other options such as FireCompass before choosing SecurityScorecard.

My main use case for SecurityScorecard is to keep an eye on our vulnerabilities and also monitor which companies follow us in the platform, and we keep track when our score drops so we can fix it.

For tracking vulnerabilities or monitoring our score with SecurityScorecard, we take action based on our score, and a few people in our group have access there so they check it daily, monitor our IPs, and if there is something they need to discard. We have one specialist who fixes the vulnerabilities, and when he fixes things, he reports back to SecurityScorecard so we keep our score as high as possible, preferably at least A, and we have noticed some customers sharing reports from your platform where they needed us to have this A score.

SecurityScorecard is quite simple and easy to use, and we just need to keep track when we receive those notifications from the tool.

The best features SecurityScorecard offers are that it is easy to use and quite easy to understand what the vulnerabilities are and how to fix them. I appreciate the interface where you can see in one screen pretty much everything, and I also appreciate the feature where you can see the number of customers who follow you in the platform.

The interface of SecurityScorecard stands out for me because it is very easy. In one dashboard, you can see pretty much everything. I appreciate the nice colors that are easy to follow, and I also appreciate the graphs in the platform.

SecurityScorecard has impacted my organization positively as it was a surprise to notice that many of our customers follow us there, and the tool scans the web twice per day, so we can see how hackers and what they can see from our publicly available IPs.

Specific outcomes or metrics that show how SecurityScorecard has helped my organization include our score improving quite a lot. We started with a C or maybe D and reached the A, keeping it above 90 points, which has impacted us because it is now a metric our management follows.

I suggest that SecurityScorecard could be improved by giving a little more specifics on how the scanning works and how you are able to detect those IPs, including more details on the privacy side about how the scanner operates and how it is sometimes allowed to do those scans. Additionally, it might be good to understand how to quickly fix or report the quite a lot of false positives, perhaps through a self-checkout feature or something similar.

The features of SecurityScorecard are quite adequate and do not need anything added.

I have been using SecurityScorecard for about two and a half years.

SecurityScorecard is stable.

SecurityScorecard's scalability is easy to scale.

The customer support for SecurityScorecard is amazing.

Positive

I did not previously use a different solution, as no solution of this kind was used before.

Before choosing SecurityScorecard, we did not evaluate other options.

My experience with pricing, setup cost, and licensing is that we still have the free version, but we have an offer from your side, which I think is straightforward.

I have seen a return on investment with SecurityScorecard as it is easy to use and has saved us some time, so we do not need to do the scans on our own.

I have seen a return on investment with SecurityScorecard as it is easy to use and has saved us some time, so we do not need to do the scans on our own.

Before choosing SecurityScorecard, we did not evaluate other options.

I would rate SecurityScorecard a solid nine out of ten.

I chose a nine because I appreciate the features a lot, but there is still room for small improvements, those that I mentioned above.

SecurityScorecard is deployed in my organization in a public cloud.

The cloud provider we use for SecurityScorecard is Microsoft Azure.

My advice for others looking into using SecurityScorecard is to use it as soon as possible and you will know the difference. My overall review rating for SecurityScorecard is nine.

I primarily use Fortify Data for financial organizations. It combines attack surface capabilities with dark web information and breach disclosure information to assess vulnerabilities and risks. It also offers internal vulnerability scanning capabilities to provide a comprehensive risk assessment.

Fortify Data offers attack surface capabilities that identify vulnerabilities, exposed ports, and dark web information. It also provides breach disclosure information and has the capability for internal vulnerability scanning, which is helpful for a comprehensive risk assessment. It combines threat intel data with vulnerability information to increase risk ratings and provides insights into third-party supply chain risks.

The product can be improved by incorporating more data points and intelligence around dark web information and threat data. Adding more features to combine and consolidate internal vulnerability scanning was a beneficial enhancement. There is a need for more active rather than passive third-party risk management features to truly mitigate risks.

I have worked with SecurityScorecard for a few years. I started getting more experience with them a couple of years ago and began a relationship with the company about a year ago.

The product is suitable for medium to large businesses, typically with a revenue range from $200 million to a couple of billion dollars. It may not be ideal for Fortune 500 companies due to name recognition and scale.

I would rate them about a six or seven. There are areas for improvement in response times and overall support. They are not a substantial company and are constantly improving, however, they need better organization to support their customer volume.

Neutral

The setup was straightforward. It is easy to set up and can facilitate scanning within minutes.

Deploying usually requires just a couple of people who understand the network and security components.

The biggest benefit is visibility, allowing organizations to understand their risks, vulnerabilities, and potential threats. It helps executives make effective decisions on mitigating or accepting risks.

SecurityScorecard is priced in the middle range. There are more expensive and cheaper options available, however, Fortify Data and Censinet are also in the same middle range.

I have experience with Censinet and Fortify Data, which can be tailored more specifically to clients compared to SecurityScorecard.

Overall, I would rate SecurityScorecard as a seven out of ten. 

It is a good product yet somewhat generic in its capabilities. It has partnered well for third-party capabilities, but newer products are incorporating more AI functionalities.

The primary use case for SecurityScorecard is to assess and manage third-party cybersecurity risks within organizations.

They could improve the process with a questionnaire module for the product. At present, we have to answer multiple questions for the suppliers manually. They could automate functionality to enhance this particular area.

We have been using SecurityScorecard for four years.

The platform is stable.

The technical support services are good.

Positive

The platform is easy to deploy and maintain.

Determining the return on investment (ROI) for SecurityScorecard or similar products can be complex and organization-specific. Measuring ROI in this context involves assessing the tool's effectiveness in mitigating risks and preventing potential breaches. However, it's challenging to quantify the precise impact because successfully addressing vulnerabilities may prevent security incidents that would otherwise go unnoticed. For instance, one of our clients shared a story about discovering their data on the dark web, highlighting the importance of proactive security measures.

While achieving 100% vulnerability mitigation is ideal, it takes time to ascertain how many potential breaches are prevented. Nevertheless, given the increasing reliance on online services and the critical need for robust security measures, the significance of third-party risk management must be balanced. Ultimately, while the ROI of SecurityScorecard may be challenging to measure, its role in enhancing security posture and mitigating potential risks is invaluable in today's digital landscape.

Similar to Barracuda, SecurityScorecard's list price may appear high initially. Even though it's competitive, they offer flexible pricing structures.

Our organization relies on numerous SaaS services for critical business functions, such as CRM and monitoring solutions. In a hypothetical scenario where a security breach occurs in the CRM database, potentially exposing our data and our clients, SecurityScorecard proves invaluable. It provides a security score, typically a percentage, based on extensive data collection from various sources, including the dark web and social networks. Let's say our CRM solution receives a security score of 78%, indicating a relatively safe status according to the information gathered by SecurityScorecard.

One of its most effective features for risk identification is its enterprise-ready automation for third-party risk measurements. Additionally, it provides valuable insights into vulnerabilities within an organization, utilizing tools such as CVE details. For instance, it can assign a score based on vulnerabilities detected, such as 60%, and specify each vulnerability by its identifier. It offers scalability and can handle large volumes of real-time data. 

The continuous monitoring feature significantly enhances the ability to manage risks by providing real-time data collection on suppliers. We can observe fluctuations in their security levels over time, sometimes even every month. We can create alerts for high-risk situations, enabling organizations to respond promptly to potential security threats or vulnerabilities identified within their supplier network.

The product's security ratings are helpful. While there may be occasional false positives, it does not function as a scanning solution. Instead, it presents the same information that hackers could potentially exploit.

While I haven't worked with other cybersecurity rating solutions, I can attest to its strengths based on my experience. One notable advantage is their extensive data collection capabilities, surpassing many competitors in the market. They gather a wide range of information, resulting in a vast database that includes many suppliers or companies. It is easy to integrate with other tools.

I rate it a nine out of ten.

SecurityScorecard performs deep analysis over the exposed view of data. It creates an external IT assessment of the company in terms of domain and vendor reports. Essentially, it scans the company's landscape, trying to find vulnerabilities and exposed data that may cause digital risks.

With SecurityScorecard, the most valuable feature is the ability to identify if third parties or vendors have digital threats that may impact our company. It also scans all internal domains and IPs to find vulnerabilities in the digital landscape. The continuous monitoring capabilities have been beneficial by providing ongoing assessments of potential risks.       

The pricing of the product needs improvement in Brazil.

I have been using SecurityScorecard for the past year.

As for stability, it's 99.99% stable.

The scalability of SecurityScorecard is really easy. If the user starts with twenty domains and needs to double, it's already in the platform one just needs to flag a button.

They work pretty fast and have full knowledge of the solution. Personally, I've never had a problem with them. Sometimes there's a little delay because they need to investigate further, but overall, I'm pleased with their support.

Positive

The initial setup of SecurityScorecard is very easy because it's a SaaS solution. Deployment time depends on the number of companies to be monitored; for fifteen to thirty companies, it might take two or three days, or up to a week.

The vendor helps users deploy the solution and set up functionalities, making it straightforward. Usually, three to four people are involved. The vendor assigns a Customer Success Manager to the end user, who acts as the focal point for support, new questions, and functionalities.

The best ROI with SecurityScorecard is when the end user identifies that their vendors or third parties have digital threats that need to be addressed promptly. Preventing digital threats and data leakage from vendors and partners is the best ROI. 

The pricing of SecurityScorecard is fair. I would rate it a seven. It's a bit more on the expensive side. In Brazil, for example, making a payment to the vendor involves wire transfers and high taxes, making it more expensive. Selling SecurityScorecard or any American vendor's product in the United States is very different from selling in South America or Brazil.

Overall I would rate the solution a nine out of ten. 

We were asked by a customer to respond to issues raised on the platform regarding our security score. 

We are using the free offering at the moment. For something that was not part of our selection, I would like to have more features available. In that context, the paid subscription is pricey for an organization of our size.

As the approach is widely automated information gathering, there is a wide gap from free to paid which makes it hard for smaller organizations to get better security awareness. There is always the notion that a breach is expensive, however, that does not mean vendors can collect anything they like in terms of pricing. It has to be reasonable.

They freshly introduced Attack Surface Index where you can search for specific software in their database. The free tier got a bunch of requests for free to get a feel of the feature. It was very nice to snoop around to find out who has which vulnerability listed or how many vulnerable exchange boxes are out there in France still running on Exchange 2013. The feature went into paid tier after a period. 

With SecurityScorecard we gained more insight into our security footprint. The platform does very little to help with issues. Maybe that is for paid subscribers. Every so often, issues are re-surfacing and you have to re-explain everything. 

Don't get me wrong, although it is not very nice to have security issues (or symptoms of such) thrown at you, it is nicer than some ransom demand.

With its automated approach, nothing is missed on the IPs your organization is related to. Still, it is extra work. We use the findings as a todo-list whenever something pops up. 

In the past months, we had success at removing findings that are not our own like the Skype for business-IP hosted by Microsoft.

We had some findings regarding open ports after publishing systems on public IPs. We found out that way the firewall opens several ports for every public IP when enabled. Now we can disable these pro-active.

You can have notifications for changes in your score. It really helps to not have to come back every now and then to look score changes up.

I also like the report options in place. They could be more configurable but there will always be disagreement on reporting options.

You can also invite team members to help solve problems. 

It's good for a security solution. You can protect your logins with MFA.
We use the findings as a means to keep third parties up-to-date by forwarding reports to them so they can see we are able to track every vulnerability.

There could be more information in regards to solving problems like hints on what specifically to look for.

There should be the option to split responsibility for certain areas. This would be mandatory if we want to invite external consultants to look at things together. 

As mentioned above, the pricing for a paid subscription is too high for "just" a monitoring platform. 

They don't fix your issues. Instead, you have to come up with a good explanation of why things are the way they are. Small teams might not have the patience to re-submit closure of issues due to the fact that the explanation for the issue is not accepted.

We have been working with the service for over three years now.

We had no issues with stability so far. There is no high-volume traffic going on when using it. We discovered that login requires disabling the "no-tracking"-option in MS Edge Browser.

It's a web-based service. There should be no issue with scalability.

It's not the most responsive technical support so far. Most issues are not fixed in an hour. Users shouldn't expect confirmation to be there at that time. If you expect 1-3 days you are well-positioned with a no-fee service.

The response quite improved on most inquiries over the last year.

Positive

We did not previously use a different solution.

The initial setup is easy. You just log in with your work email. That's it.

I suspect that no one was tasked with security to onboard here. 
As their database already has all your public outings (IT-wise) there is nothing to set up, really. Just register and claim your tenant, invite your team and your set.

Don't forget to enable MFA!

There is no ROI for a free tier. We would need to provide an explanation about paid subscriptions for just a security ticket system in the cloud.

They already have set up for most organizations with their security footprint gathered from WHOIS, DNS, and other sources. Therefore, no setup cost would be reasonable. The pricing could be split into a lower-paid tier for smaller organizations and another higher tier for others with a more security-focused outlook. $1000 per month is more than some companies pay for their internet connections in total.
UPDATE: they have a new 400$ a month tier for starters.

They cover the complete IPv4 address space with their own sensor network.

They change their perspective on what actually impacts your score over time which you should be aware in order to get no surprises when your score drops suddenly. But that is a very transparent process with a heads-up on what to expect by the new scoring mechanism. Our score got dumped once and is now back on the same level. 
A lot of the findings are open for discussion (you can claim that is not a finding within good reason). They hear you out and some of the new scorings are in answer to customer requests (as I see it - could be mistaken though).

We were forced (or rather, invited) to use that solution by a customer.

Don't expect answers for closing issues right away. There are still people involved who re-check the issues for proper fixes and if your explanation for "that's no issue" is acceptable.

Resolve time improves if you state a link to sites that proof your changes like https://redirect-checker.org/ or https://httpstatus.io/.
Just like with AI, context enriches the issue for the one handling it, making it easier to speak of the same things, which is not always easy.

Look for integrations into other systems. Maybe you can tap into your XDR for Securityscorecard to get more data and have a better view of your exposure.