Understanding Your Security Score: How It's Calculated
A detailed guide to how CyberShield calculates your security posture score, including weighted category scoring, score decay over time, grade thresholds, and actionable strategies for improving each category.
Your CyberShield security score is a single number that represents the overall security posture of your external-facing infrastructure. It condenses findings across multiple scanning categories into a weighted composite score on a 0-100 scale, making it easy to track your security health over time and communicate your posture to stakeholders.
This guide explains exactly how the score is calculated, what each category measures, how scores decay over time, and how to improve your score efficiently.
What Your Security Score Represents
The security score is a weighted assessment of your external security posture based on findings from multiple scanning categories. It reflects what an attacker (or an automated scanning tool) would observe when examining your domain from the outside.
The score answers a practical question: how well is this domain's external infrastructure configured against known best practices and common attack vectors?
A high score means your domain has strong TLS configuration, properly implemented email authentication, minimal unnecessary port exposure, appropriate HTTP security headers, and healthy DNS and domain configuration. A low score means one or more of these areas has significant weaknesses.
The score is not a guarantee of security -- no external scan can evaluate internal controls, application logic, or organizational security practices. But it is a reliable indicator of external hygiene and a strong proxy for overall security program maturity, because organizations that maintain their external posture well tend to maintain their internal security well too.
How the Score Is Calculated
CyberShield uses a weighted average formula to compute your overall score from individual category scores.
Each scan evaluates your domain across multiple categories. Each category produces its own sub-score based on the findings discovered. The overall score is the weighted average of all category sub-scores, where the weights reflect each category's relative importance to your overall security posture.
Category weights:
| Category | Weight | What It Measures |
|---|---|---|
| TLS | 25% | Certificate health, protocol versions, cipher suites, HSTS |
| 20% | SPF, DKIM, DMARC, MTA-STS, TLS-RPT | |
| DNS | 15% | DNSSEC, CAA records, NS configuration, zone security |
| HTTP | 15% | Security headers (CSP, X-Frame-Options, XCTCO, etc.) |
| Exposure | 15% | Sensitive file exposure, path traversal, open redirects, info leakage |
| Ports | 10% | Open services, unnecessary network exposure |
| Web | 10% | Cookie security, form security, CORS, CSP deep analysis |
| WHOIS | 5% | Domain registration health, expiration |
| Reputation | 5% | Blocklist status across multiple providers |
| CT | 5% | Certificate transparency log monitoring |
The weights sum to more than 100% because not every category applies to every scan. The formula normalizes based on the categories that produce findings for your specific domain.
How category sub-scores work:
Each category starts at 100 points. Findings within that category deduct points based on severity:
- Critical findings deduct the most points per finding
- High findings deduct a significant amount
- Medium findings deduct a moderate amount
- Low findings deduct a small amount
- Informational findings do not affect the score
The category sub-score cannot go below 0. If a category accumulates enough findings to exhaust all 100 points, it bottoms out at 0.
Calculating the overall score:
The overall score is computed as:
Overall Score = (TLS_score * 0.25) + (Email_score * 0.20) + (DNS_score * 0.15)
+ (HTTP_score * 0.15) + (Exposure_score * 0.15) + (Ports_score * 0.10)
+ (Web_score * 0.10) + (WHOIS_score * 0.05) + (Reputation_score * 0.05)
+ (CT_score * 0.05)
This weighted approach means that fixing issues in high-weight categories (TLS, Email) has a proportionally larger impact on your overall score than fixing issues in low-weight categories (WHOIS, Reputation, CT).
Category Breakdown
Understanding what each category evaluates helps you interpret findings and prioritize remediation.
TLS (25% weight)
The TLS category carries the highest weight because TLS issues have the most immediate, visible impact on security and user trust.
What is checked:
- Certificate validity: Is the certificate current? When does it expire? Is the certificate chain complete (server cert + intermediates)?
- Protocol versions: Which TLS versions does the server accept? TLS 1.0 and 1.1 are deprecated and flagged. TLS 1.2 is the minimum acceptable. TLS 1.3 is ideal.
- Cipher suites: Does the server prefer strong ciphers with forward secrecy (ECDHE + AES-GCM or ChaCha20)? Are weak ciphers (RC4, DES, export-grade) disabled?
- HSTS: Is the Strict-Transport-Security header present with an adequate max-age?
An expired certificate alone can drop your TLS sub-score to critical levels, which drags your overall score down significantly given the 25% weight. Expired certificates and weak ciphers are also among the most common security misconfigurations found in external scans.
Email (20% weight)
Email authentication is weighted heavily because email-based attacks (phishing, business email compromise) are the most common threat vector.
What is checked:
- SPF record: Is it published? Is the syntax valid? Does it use
-all(hard fail)? Is it within the 10-lookup limit? - DKIM: Are DKIM selectors published in DNS? Are public keys valid and parseable?
- DMARC: Is a DMARC record published? What is the policy level (
p=none,p=quarantine,p=reject)? Is subdomain policy set? Is reporting configured? - MTA-STS: Is an MTA-STS policy published to enforce TLS on inbound mail?
- TLS-RPT: Is a TLS reporting record present for receiving delivery failure reports?
A domain with no DMARC or DMARC at p=none will receive significant deductions. Moving from p=none to p=reject is one of the highest-impact single changes you can make to your score.
DNS (15% weight)
DNS security protects the foundational layer that everything else depends on.
What is checked:
- DNSSEC: Is DNSSEC enabled and valid? DNSSEC prevents DNS spoofing and cache poisoning.
- CAA records: Are Certificate Authority Authorization records published to restrict who can issue certificates for your domain?
- NS configuration: Are multiple nameservers configured on different networks? Is the NS configuration consistent and healthy?
- Zone transfer protection: Is zone transfer (AXFR) restricted to authorized secondaries only?
HTTP (15% weight)
HTTP security headers are server-side controls that instruct browsers to enable security protections.
What is checked:
- Content-Security-Policy: Restricts resource loading to prevent XSS
- Strict-Transport-Security: Forces HTTPS connections
- X-Frame-Options: Prevents clickjacking
- X-Content-Type-Options: Prevents MIME type sniffing
- Referrer-Policy: Controls referrer information leakage
- Permissions-Policy: Restricts browser feature access (camera, microphone, etc.)
- Server information disclosure: Server version banners, X-Powered-By headers
Exposure (15% weight)
The exposure category identifies information and access that should not be publicly available.
What is checked:
- Sensitive file exposure: Accessible backup files, configuration files, version control directories, environment files
- Path traversal risks: Server responses that suggest directory listing or path manipulation
- Open redirect vulnerabilities: Endpoints that redirect to arbitrary URLs (phishing vector)
- Information disclosure: Error messages, debug output, or technical details that reveal internal architecture
Ports (10% weight)
Port scanning identifies services running on your servers that are accessible from the internet.
What is checked:
- Open port inventory: All TCP ports responding to connections
- Service identification: What service is running on each open port
- Unnecessary exposure: Database ports, remote desktop, file sharing, telnet, and other services that typically should not be internet-facing
Web (10% weight)
The web category examines application-level security configurations.
What is checked:
- Cookie security: Secure flag, HttpOnly flag, SameSite attribute, cookie prefixes
- Form security: CSRF protection, secure form actions
- CORS configuration: Cross-origin resource sharing headers, wildcard origins, credential handling
- CSP deep analysis: Detailed Content-Security-Policy evaluation including unsafe-inline, unsafe-eval, nonce/hash usage
WHOIS (5% weight)
Domain registration health provides context about domain management practices.
What is checked:
- Registration expiration: How soon the domain expires (expiring within 30 days is flagged)
- Registrar information: Registration health and consistency
- Domain age: Newly registered domains may indicate different risk profiles
Reputation (5% weight)
Blocklist status indicates whether your domain or associated IPs have been flagged by security providers.
What is checked:
- Email blocklists: Presence on Spamhaus, Barracuda, and other email blocklists
- Web blocklists: Flagged by Google Safe Browsing, PhishTank, or other web security services
- IP reputation: Whether your associated IPs have been flagged for malicious activity
CT (5% weight)
Certificate transparency monitoring watches public logs for certificates issued to your domain.
What is checked:
- Certificate issuance: Recently issued certificates for your domain and subdomains
- Unauthorized certificates: Certificates issued by CAs you did not authorize (especially relevant if CAA records are missing)
- Subdomain discovery: CT logs reveal subdomains that may not be in your inventory
Understanding Score Grades
Your numeric score maps to a letter grade that provides an intuitive summary of your posture:
| Grade | Score Range | Meaning |
|---|---|---|
| A+ | 97-100 | Excellent posture across all categories |
| A | 93-96 | Strong posture with minimal findings |
| A- | 90-92 | Good posture with minor areas for improvement |
| B+ | 87-89 | Above average with some notable findings |
| B | 83-86 | Solid but with clear improvement opportunities |
| B- | 80-82 | Acceptable with several medium findings |
| C+ | 77-79 | Below average, remediation recommended |
| C | 73-76 | Significant findings across multiple categories |
| C- | 70-72 | Weak posture requiring prompt attention |
| D+ | 67-69 | Poor posture with critical or numerous findings |
| D | 63-66 | Very poor posture, significant risk exposure |
| D- | 60-62 | Near-failing posture, urgent remediation needed |
| F | 0-59 | Failing posture, critical exposure present |
What each range means in practice:
A range (90-100): Your external infrastructure follows best practices. No critical findings. You are likely meeting or exceeding what cyber insurers and compliance frameworks expect. Maintain this posture through regular scanning.
B range (80-89): Your posture is solid but has identifiable gaps. Common in this range: missing a few security headers, DMARC not yet at full enforcement, or minor TLS configuration issues. A few targeted fixes can move you into the A range.
C range (70-79): Multiple areas need attention. You likely have a combination of missing email authentication, weak TLS configuration, and absent security headers. Prioritize by category weight for the fastest score improvement.
D range (60-69): Serious gaps exist. Critical findings in one or more high-weight categories are dragging your score down. Expect cyber insurance premium increases or coverage restrictions at this level. Immediate remediation is needed.
F range (0-59): Critical exposure across multiple categories. Expired certificates, no email authentication, exposed dangerous ports, or similar severe findings. This posture level represents active risk that attackers routinely exploit.
Score Decay Over Time
Your security score is only meaningful if the underlying scan data is current. A perfect score from a scan run six months ago does not reflect your current posture -- configurations change, certificates expire, and new vulnerabilities emerge.
CyberShield applies score decay to encourage regular scanning and ensure displayed scores reflect reality:
| Data Age | Freshness | Decay |
|---|---|---|
| 0-7 days | Fresh | No decay (full score) |
| 8-14 days | Aging | -5 points |
| 15-30 days | Stale | -10 points |
| 31-60 days | Old | -15 points |
| 61+ days | Expired | -20 points |
Decay is applied at read-time to the effective score displayed in dashboards and reports. Your original scan score is preserved in the database and remains accessible. The effective score is what you see and what drives trend calculations.
Example: A scan on January 1 produces a score of 92. On January 8, the effective score drops to 87 (aging). On January 16, it drops to 82 (stale). By March 3, it is 72 (expired). The original 92 is still stored, but the effective score reflects the decreasing confidence in data that has not been refreshed.
To keep your score fresh, scan at least weekly for critical domains. Monthly scanning is acceptable for lower-priority domains but will result in aging penalties for roughly half of each month.
Improving Your Score
The most efficient path to score improvement targets high-weight categories with the biggest current deductions.
Step 1: Identify your weakest high-weight categories.
Look at your category breakdown. If your TLS sub-score is 60 but your WHOIS sub-score is 95, fixing TLS issues will have a much larger impact (25% weight vs 5% weight).
Step 2: Fix critical and high findings first.
Within each category, critical and high severity findings cause the largest score deductions. Fixing one critical finding often has more impact than fixing five low findings.
Step 3: Prioritize by weight-adjusted impact.
| Fix | Category Weight | Typical Score Improvement |
|---|---|---|
| Renew expired TLS certificate | 25% | 15-25 points overall |
| Implement DMARC at p=reject | 20% | 10-15 points overall |
| Close exposed RDP/database ports | 10% | 5-10 points overall |
| Add all HTTP security headers | 15% | 5-10 points overall |
| Enable DNSSEC + add CAA records | 15% | 3-8 points overall |
| Fix cookie security flags | 10% | 2-5 points overall |
Step 4: Verify each fix.
After implementing a change, use CyberShield's quick scan to re-test the relevant module. For specific remediation steps across all categories, see our guide on common security misconfigurations and fixes. This confirms the fix is working and updates your score immediately rather than waiting for the next full scan.
Step 5: Scan regularly to prevent regression.
Schedule weekly or monthly scans as part of a continuous monitoring program. Infrastructure changes, certificate renewals, DNS modifications, and service deployments can all introduce new findings. Regular scanning catches regressions before they accumulate.
Monitoring Score Trends
A single score is a snapshot. Trends over multiple scans tell the real story of your security program's effectiveness.
The history page shows all past scans for a domain with their scores, allowing you to see progression over time. A consistently improving trend demonstrates active security management. A declining trend flags that changes are introducing new issues faster than they are being resolved.
Scan comparison lets you compare two scans side-by-side, highlighting new findings (issues that appeared), resolved findings (issues that were fixed), and persistent findings (issues that remain). This is particularly useful after a remediation sprint to verify that fixes took effect.
Category score tracking reveals whether improvement is broad-based or concentrated. If your overall score improved but your email sub-score dropped, you may have fixed headers while inadvertently breaking DKIM signing.
Baseline comparison establishes a reference point. Set a baseline after your initial remediation effort, then track all future scans against that baseline. New findings relative to baseline represent regression. Resolved findings relative to baseline represent sustained improvement.
Use trend data to communicate security posture to leadership, support cyber insurance negotiations, and demonstrate compliance with frameworks that require continuous monitoring. Your score data can also feed into compliance reports mapped to PCI-DSS, SOC 2, and ISO 27001 for audit evidence.
Continue Reading
What Is External Attack Surface Management (EASM)? A Complete Guide
External Attack Surface Management is the continuous discovery, inventory, and monitoring of all internet-facing assets. Learn how EASM differs from pentesting and vulnerability scanning, and how to implement it for your organization.
Security Posture Monitoring: Why Point-in-Time Scans Aren't Enough
A single security scan shows where you stand today. But infrastructure drifts daily. Here's why continuous monitoring catches what periodic assessments miss.
PCI DSS v4.0 Compliance Through Continuous Security Scanning
PCI DSS v4.0 shifts from point-in-time assessments to continuous security validation. Learn how automated scanning maps findings to 18 PCI controls and how continuous monitoring satisfies the new requirements.