SecurityScorecard 2024 feature releases – Help Center

Some features mentioned in this article may only be available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.

Learn about the latest product updates, features, early release features, and improvements, in the SecurityScorecard platform.

Scoring recalibrations and other changes that affect Scorecard scores that occurred prior to July 2024 are available in the scoring update release notes. Any changes that impact scoring that occurred after July 2024 are documented below.

December

Score calculations fixed for scorecards with less than 50 score

Post Scoring 3.0, the score impact was not adding up to 100 for scorecards with a score of less than 50. This has been fixed now.

Learn more about this correction

Monitor attack surface data changes via API

Use the new Attribution Log API to get detailed logs of arriving and departing assets, along with reasons for changes over time. You can receive attribution changes for:

Your own attack surface
Your subsidiary scorecard
Your vendor scorecard
Companies you provide cyber-insurance to

Learn more about the Attribution Log API

November

Attribution Evidence in Issues CSV

You can now get assets, attribution evidence, associated issues metadata, and tags (user-contributed data) all within Issues CSV exports.

Learn more about managing your digital footprint

Attribution via DNS TXT record evidence

Use the DNS TXT record method to attribute assets to the right subsidiaries. SecurityScorecard will generate a unique string that you can use to update the DNS TXT record of apex domains.

Identify IPs associated with specific hostnames in Digital Footprint

Use new the new hostnames filter in the digital footprint helps identify IPs associated with specific hostnames.

Learn more about managing your digital footprint

Questionnaires request access workflow

Users who do not have access to a questionnaire can request access.

Learn more about redesigned questionnaires

New ServiceNow Security Incident Response (SIR) Module

The new SecurityScorecard ServiceNow SIR module is a plug-in app for SecurityScorecard ServiceNow ITSM.

Learn more about the ServiceNow Security Incident Response integration

TPRM Dashboard updates

Easily review different portfolios using the new multi-select option within the Portfolio section and combine multiple portfolios into a singular dashboard view. You can also export a PDF of the dashboard for sharing with stakeholders.

Learn more about the third-party risk management dashboard

Export Automatic Vendor Detection portfolio connections

Per detected vendors, you can now download the list of Portfolio connections from the Portfolio Connections drawer.

Learn more about Automatic Vendor Detection

October

Rapid score refresh for Custom Scorecards

Custom scorecards are now updated within one hour of creation or changes to the scorecard recipe.

Learn more about creating Custom Scorecards

Issue Type Updates

We have updated the following two Issue Types to "Informational". With this update, you will not see any score impact with these two issue types: Website Copyright Not Current and Telephony/VOIP Device Accessible.

New information architecture

The top line menu for the SecurityScorecard platform has been updated

JIRA Ticket Workflow Improvements

You can now assign issues to Jira project teams directly from scorecards and set parent-child hierarchies.

Learn more about the JIRA integration with SecurityScorecard

New design for Questionnaires

The redesigned questionnaire workspace provides a clear and intuitive layout, with improved organization and visibility of crucial information. Users can now complete questionnaires more quickly and accurately, saving time and reducing frustration.

Learn more about redesigned questionnaires

New getting started experience

Our new onboarding experience guides users through key features in the platform. Vendor risk managers will be guided on how to add, contact, and continuously monitor vendors easier and faster. Security engineers will be guided on how to improve their score, communicate security performance, and turn on alerts.

MAX document center

MAX customers can now access documents from service delivery teams within the MAX dashboard in the SecurityScorecard platform.

Learn more about the MAX dashboard

Search and generate reports with tags in Supply Chain Risk Intelligence

You can now select between Portfolios or tags in Supply Chain Risk Intelligence to generate a report.

September

Roles-Based Access Control (RBAC) Improvements

A new visualization tool allows admins to clearly see each user’s effective permissions. In addition, admins now have the ability to set default roles for new users, view private portfolios, add users in bulk, assign portfolios at the team level, control who can consume a slot, and disable API access.

Learn more about managing users and permissions

Move assets to the subsidiary scorecard and the proper owner

New self-serve capabilities allow admins to re-assign assets to a different subsidiary. Admins also have visibility if a specific asset is attributed to multiple subsidiaries.

Learn more about hierarchies and managing subsidiaries

August

Assign assets to IT teams in bulk

You can now select multiple Custom Scorecards and assign a specific IT team or user in one operation.

Learn more about Customer Scorecards

ServiceNow VRM Breach Incident Response Details

The SecurityScorecard VRM integration with ServiceNow TPRM now supports breach response data. You can now automate breach notifications within ServiceNow.

Learn more about ServiceNow integration

All Companies Updates

You can now navigate from the Vendor risk management dashboard to All Companies with a click when you have selected “All portfolio companies” as your selected portfolio. Notes can also be added to vendor details for internal communications. The import template now includes vendor details fields.

Learn more about All Companies

Showing Attribution Source Upfront in Digital Footprint

Infosec Managers can now view attribution source upfront - for attributing IPs and domains to their attack surface - in zero clicks. This helps your team build confidence for attribution and enables faster remediation.

Digital Footprint (domain tab)

Digital Footprint (IP tab)

Learn more about your Digital Footprint

Evidence Based Score Gain: All Evidence Types

Evidence-Based Score Gain is a methodology in which you can receive positive scores for uploading valid Evidence on the Evidence Locker. In the previous release, we enabled EBSG for SOC2 Type1 and SOC2 Type2 evidence types only. We are now expanding this to all the evidence types on the platform. The list of evidence types that will start to see score gain are listed below:

SOC 2 Type 1 (already available)
SOC 2 Type 2 (already available)
ISO 27001
PCI DSS Level 1
NIST 800-53
SIG
HIPPA
Privacy Policy
Certificate of Insurance
Pen Test

Learn more about Evidence-based Scoring

Enhanced SSC Login Experience

We have introduced a new platform login experience with:

New login UX design
New FIDO passwordless login (Learn more about FIDO Authentication)
New SSO break-glass access
More login options

Log in with a passkey

New SSO Settings (enabling break-glass access)

Setting FIDO passwordless login (based on FIDO2 protocol)

Scheduled Custom Reports

You can now send a direct link to the PDF file within a scheduled report email, providing your recipients with one-click access to the file.

Learn more about Rule Builder

July

New Questionnaires Overview page

The Questionnaires Overview page provides a more personalized experience by grouping vendors within the context of their overall lifecycle status and linking vendors back to the All Companies page.

Learn more about Questionnaires

Assignment Workflow

You can now assign ownership of assets (IPs and domains) and associated issues to individual members or a team.

Learn more about your Digital Footprint

All Companies

All Companies is a complete list of monitored vendors across all portfolios. You can use All Companies to all monitored companies in one place, including filtering, sorting, bulk editing, and exporting.

To enable All Companies, navigate to the Early Access Center and flip ON the option for “Manage all monitored vendors in “All Companies”.

Learn more about All Companies

Asset Remediation Workflow

Starting from the Digital Footprint page, you can now navigate to the exact issue findings that are associated with the asset you selected and remediate them. Simply identify any domain and IP and click on a specific issue to filter for the specific findings.

Telco IP AI Attribution Model

Security postures within the TICP industry (Telcos, ISPs, Cloud Providers) are more accurate with the introduction of an AI attribution model that continuously identifies customer IP or leased IP ranges.

June

Smart Answer for Questionnaires

Smart Answer is SecurityScorecard’s AI generated questionnaire responses solution. Simply upload a questionnaire and Smart Answer will leverage AI to autocomplete future questionnaires based on what was uploaded.

Role-Based Access Control for Questionnaires

Customer admins can add customizable permissions to questionnaires for their teams, enabling them to effectively manage their internal workflows and personnel. Go to Settings> User Permissions> Roles/Create a Role.

TPRM Dashboard

Quickly understand the current state of your vendor risk management program and take action on the things that matter most. The TPRM dashboard is the new landing page upon log-in.

Learn more about the TPRM dashboard

Filtering and Segmentation for Custom Scorecard API

Custom Scorecard filtering and segmentation capabilities featured in the SecurityScorecard UI are now available via API.

Splunk App Update

SecurityScorecard Splunk app and Splunk app add-on, now support Splunk versions: 9.2, 9.1, 9.0 on both Splunk Enterprise, Splunk Cloud.

ServiceNow VRM and ITSM App Compatibility with ServiceNow Washington DC

SecurityScorecard VRM and ITSM apps have been tested and recertified for compatibility with ServiceNow Washington DC release. This allows new customers that have upgraded to the Washington DC release to install both SecurityScorecard apps.

May

New vendor workflow from Action Plans in Supply Chain Risk Intelligence

When you create and assign an Action Plan for a vendor, they can come back into the platform and see detail into the particular report. When a vendor clicks on the Action Plan to open it, they can see a list of all the Infections, vulnerabilities, and high-risk products.

New Hacker Chatter Signals for Threat Intelligence

Two new Hacker Chatter Signals have been added to the platform, providing you with deeper visibility into threat actors' ongoing campaigns and targets. With real-time feeds from Dark Web sources, your team is able to react and improve your cyber defenses to repel, prevent, and stop the attacks from happening.

Data Leak Detected: Provides visibility into data leaks that have been published by bad actors as well as the type of information and PII that has been released
Domain Targeted By Threat Actor Group: Indicates if your organization is/was being targeted by bad actors

New comment column in Issue Findings table

You can now comment on specific issue findings on the Issue Detail page to improve communication with partners and vendors. Access permissions are view and edit for your own scorecard and view only for other scorecards.

Remediate Issues in Custom Scorecards

You can now submit remediations for issues via Custom Scorecard, which also automatically gets updated in the main source scorecard.

Learn more about Custom Scorecards

Updates to Vendor Invite Emails

Invited vendors will be given more context for the request and have links to additional help articles for any questions they may have on the task they are being asked to complete. You can also update your organization’s logo on the scorecard’s Company Profile and the logo will be added to the outgoing emails.

Learn more about inviting vendors

Search by Subdomains and CDN filter on Assets in Attack Surface Intelligence

You can search subdomains along with parent domains in Attack Surface Intelligence and use the new “Has CDN” filter to refine search results.

Add Company Modal Update

The process to add a company to your portfolio or watch list has been made consistent across the platform and offers several ways to add the company in one unified experience.

Add Contacts Modal Update

You can add a contact at any time to the organizations you follow from their portfolio list view and the scorecards themselves. In addition, you can bulk upload all of your vendor contacts.

April

Attribution Evidence Provenance

You can now view the whole chain of attribution - along with corresponding evidence - when you click on IP or a domain in Digital Footprint.

Schedule and share reports in PDF format via email

Send a direct link to the report’s PDF file within an email, providing recipients with a one-click access to the file without having to login or create an account to view.

Standardized CSV Reports

All CSV exports from SecurityScorecard now follow the same format. A specific naming convention that includes the timestamp, columns in the CSV will match the columns in the UI, and column names are consistent across the platform.

Quarterly and Annual Scheduled Reports

The report scheduler now includes the option to schedule reports to be sent quarterly and yearly in addition to daily, weekly and monthly.

March

Business impact by company

You can now select a business impact of Low, Medium, High, or Critical for each scorecard in your portfolios and on the scorecard itself. By providing a business impact rating, you will be able to more accurately see the associated risk of the organization based on the vendor’s score and impact.

Learn more about working with portfolios

Products with zero-days and Cloud Exposure view for Supply Chain Risk Intelligence

See which of your vendors have products with a known zero day vulnerability in the High-Risk Products view and which are storing data in the cloud with the Cloud Exposure view.

Addition of Related Domain Attribution Data

All related domains, including those manually added Ratings are now visible in Attack Surface Intelligence and Supply Chain Risk Intelligence.

Scorecard Overview Page

The Scorecard Overview Page is a single page where you can quickly evaluate various states of your organization's security posture and drill down to specific areas for further investigation. The Scorecard Overview Page speeds up risk evaluation by consolidating various data in one view and surfacing actionable items.

Learn more about the Scorecard Overview Page

Vulnerability Intelligence: Multiple Tech Stack Support

Create multiple tech stacks (list of products/versions, product/version inventory) for different business units or purposes like web apps and databases. Set up alerts and RSS feeds for each tech stack.

Ratings: Data Residency

Data Residency is now available for storing questionnaire responses in local AWS geo-location. Ensure compliance with your countries regulations, prevent data breaches, and maintain data privacy.

Ratings: Attribution Evidence in Digital Footprint CSV

Attribution source and corresponding evidence for attributing domains and IPs to your digital footprint can now be ingested via CSV. Infosec managers gain confidence around attribution and asset ownership identification, facilitating faster risk mitigation processes.

Example of Attribution Evidence in the Digital Footprint CSV

Ratings: Issue Severity Feedback

You now have the opportunity to provide feedback on issue severity. On the details page of each issue type, you can input whether or not you agree with an issue type's severity and breach risk being “high, medium, or low.” This allows us to better understand the level of severity your organization would apply to certain issue types.

Provide feedback on the Issue Type details page.

Ratings: CVSSv3 Data Filter

We’ve added a data filter to improve the quality of CVSSv3 data. This is expected to have a positive impact on your score.

Learn more

Ratings: Continued Updates to Issue Type Descriptions, Risks, and Recommendations

You will continue to see updated issue types with clear descriptions, risks, and actionable recommendations that will help you resolve findings faster. The following issue types will be updated as a part of this release:

Telephony/VoIP device accessible
SPF Record Missing
SPF Record Found Ineffective
SPF record contains a soft fail without DMARC
Malformed SPF Record
Server error detected
High severity content management system vulnerabilities identified
Exposed Personal Information
Exposed Personal Information (historical)
SSL/TLS service supports weak protocol

Re-Use Previously Invited Contacts In Invitations

Contacts from Contact Manager are now re-usable with additional information on “Last Active Date” and Job Titles whenever you trigger a new email invite. This helps ensure you’re reaching out to the right person and will increase response rates.

Check the last active date, job title, and who a contact was added by when selecting the recipient of your invite.

February

Supply Chain Risk Intelligence: Action Plans

Action plans grant you the ability to click a button and send vendors evidence of threat activity in their environment that needs to be addressed. Your TPRM program owners can quickly and collaboratively address the vendor’s threat exposure in a language that the vendor’s SOC team understands.

Instantly share threat findings with your vendors to take action

Ratings: Executive Reports

Enrich your board-level discussions with a redesigned reporting center, showcasing new executive reporting widgets and templates tailored to address security risks as critical business concerns. With the ability to customize, contextualize, and annotate reports, it's easier to effectively tell a full story to the board regarding risk management and show the business impact of your organization’s security initiatives and investments.

Create custom reports using our new widgets and executive-level templates

Watch List Alerts for Score Changes

Set email alerts to be sent to your team for any score or grade drops in your Watch List.

Create a rule in Rule Builder for Watch List alerts

Evidence Locker: Non-Disclosure Agreement Workflows

You can now limit access to chosen documents in Evidence Locker until vendors have completed an NDA workflow. Simply upload your NDA, select which documents require signatures from vendors, and get alerted via email when requested signatures have been completed. This enhancement will provide additional protection for sensitive, confidential documentation.

Add an NDA requirement to your documentation

Evidence Locker: Request Access Workflows

Request access for private documents you do not have permissions for. Once you request access, an email will be sent to the document owner to approve or deny the request.

Request access to locked documentation. If the document owner grants access to the document, you will be notified via email.

MAX Dashboard

As a MAX customer, you now have an in-platform dashboard where you can view your TPRM risk and the work being done by the SSC team. The MAX dashboard provides your team with real-time visibility into how we’re monitoring your supply chain and resolving issues that are likely to result in an incident.

Score Smoothing

When viewing your score history, you now have the ability to turn on the score smoothing toggle to flatten the line of your trending historical score. Score smoothing simplifies analyzing and reporting on your score trends to the board and other key stakeholders.

Before the score smoothing toggle is turned on

After the score smoothing toggle is turned on

Learn more about score smoothing

Updates to Issue Type Descriptions, Risks, and Recommendations

You will start to see updated issue types with clear descriptions, risks, and actionable recommendations that will help you resolve findings faster. The following issue types have been updated as a part of this release:

Site does not enforce HTTPS
Website references object storage
Unsafe implementation of subresource integrity
Content Security Policy contains 'unsafe-' directive
Website copyright is not current
Session cookie missing "secure" attribute
Website doesn't Implement HSTS best practices
Server with expired certificate contacted
Website does not implement X-Content-Type-Options best practices
HTTP proxy service detected
Website communicates with payment provider
Insecure HTTPS redirect pattern
Browser logs contain debug messages
Site emits visible browser logs
Site fails to load page components
Certificate key is smaller than recommended size
Link redirects to unsecure website

January

Attribution Event Log

Address questions about your attack surface with a log showing arriving and departing assets along with date of change, reason for change or related information.

Learn more about Attribution Event Log

Self-Serve Slot Purchasing

Business users can purchase 1-10 additional slots via self-service. This option becomes available to Account settings when you have reached 80% slot consumption.

ACH and Wire Transfers

You now have the option to make a purchase on the SecurityScorecard platform through wire transfer.

Supply Chain Risk Intelligence

Supply Chain Risk Intelligence provides a digestible and unified view of actionable intelligence to identify your riskiest vendors and show evidence to reduce threat exposure faster. Pre-built threat views including vulnerabilities, infections, breaches, and high-risk assets are available across your vendor portfolios.