In this article:
Custom Scorecards are available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
Your organization's Scorecard may contain a large set of related domains and IPs, which may make it difficult to analyze in its entirety. But you can define a specific subset of all your digital assets by creating a Custom Scorecard. You can base a Custom Scorecard on your own organization's Scorecard or that of another organization, such as a vendor.
Using a set of filters, you can include or exclude source Scorecard assets according to different criteria. For example, you can base your filtering on different business units, service lines, geographies, or cloud assets.
A custom scorecard works like any other, except for the limited set of digital assets it contains.
Tip: Version 3 (v3) of Custom Scorecards provides capabilities not available in earlier versions:
- Precise filtering
- Filtering based on issue types
- Improved score accuracy with the inclusion of existing findings
- Ability to use multiple source Scorecards
If you created Custom Scorecards that precede v3, learn how to migrate these earlier-version Scorecards, so that you can use them with the enhanced capabilities.
Custom Scorecard use cases
The flexibility of filtering assets enables you to tailor Scorecards to different needs.
Enterprise cyber-risk management—focused self-monitoring
Your organization uses custom Scorecards to focus on a particular business unit, region, facility, or any other organizational grouping.
- Benefit: The security of each focus area is managed by a different person internally. Creating custom scorecards helps your company fix issues faster because you can quickly assign the task to the correct point of contact. Different organizational units can focus on a smaller set of issues that they control.
- How to do it:
- Include or exclude domains or IPs to define the focus of the Scorecard you want to monitor.
- Add the Custom Scorecard to Portfolios for continuous monitoring.
- Note: The scoring on the Custom Scorecard is not related to the company base Scorecard.
Your organization wants to monitor a portion of a vendor’s very large Scorecard, for example, their customer cloud business.
- Benefit: You can focus on a specific area of the vendor scorecard, such as riskier websites and assets, or specific domains or IP ranges.
- How to do it: Identify the correct asset subsets to evaluate.
Create your Custom Scorecard—step by step
- Step 1: Start creating your Custom Scorecard
- Step 2: Name your Scorecard and set permissions
- Step 3: Select one or more source Scorecards
- Step 4: Set up filters
Step 1: Start creating your Custom Scorecard
Start creating your Custom Scorecard one of three ways:
- In the SecurityScorecard platform, select Create Custom Scorecard under Scorecards.
- Or, select Custom Scorecards under Scorecards and then, on the landing page, click Create Custom Scorecard.
- Or, go to a Scorecard that you want to use as a source of the Custom Scorecard and then click Create Custom Scorecard.
Step 2: Name your Scorecard and set permissions
- On the page to create a Custom Scorecard, enter a name and, if helpful to your team, a description as well.
- Select whether you want to modify the Scorecard settings and filters exclusively or if you want to share those permissions with specific individuals on your organization's SecurityScorecard account.
- If you select the option to share the permissions, enter the email addresses of the the selected individuals.
- Select whether you want to restrict viewing access to your organization or everyone with a SecurityScorecard account (Public).
Note: You only can publish a Custom Scorecard sourced from a your own organization's Scorecard. Also, you cannot publish a Custom Scorecard based on multiple sources.
Step 3: Select one or more source Scorecards
Select Scorecards as sources for your Custom Scorecard. You can then use filters to create segments, based on these sources, to focus on.
Tip: A source can be any Scorecard generated by SecurityScorecard. Currently, you cannot use another Custom Scorecard as a source.
In the Create Custom Scorecard form, start typing the name of a Scorecard you want to use as a source. When it appears in the text box, select it. Repeat this action for every Scorecard you want to source from.
Tip: See the FAQ for more information about how issues and Digital Footprints work respectively on Custom and source Scorecards.
Step 4: Set up filters
Use filters to create the exact segments that you want to focus on. Based on these filters, the platform searches the Digital Footprints of source Scorecards and includes the results in the Custom Scorecard.
Build each filter from a set of criteria, all of which must have matching data. For example, if you build a filter specifying the domain example.com and the geo location us (United States), results must match both criteria for that filter to include IPs.
All the filters you create for a Custom Scorecard have an or relationship to each other, meaning that results matching any of the filters are included in the Scorecard.
To set up filters:
- Create one filter based on one or more criteria for including or excluding IP addresses, ranges, CIDR notations, domains, geographic locations, or custom tags.
- In any field, type each item and then press RETURN or ENTER before typing the next one.
- For locations, use International Organization for Standardization (ISO) two-letter country codes.
Example: Use us for United States.
- Select whether to include associated IPs or domains for the filter. For example, if you specify IP addresses in your criteria, selecting this option will cause the Custom Scorecard to include the associated domain and all other IPs attributed to that domain.
- To create more filters, click Add Filter for each and select criteria for each new filter.
Tip: You can use wildcards (*) to specify domains. Filtering on a wildcard value such as *.company.com automatically includes company.com.
Tip: See Working with multiple criteria and filters for additional guidance.
- To prevent specific items from becoming part of the Scorecard, select the option to globally exclude them and then specify the IPs, domains, or locations. These exclusions override any other filter criteria, providing a quick, convenient way to keep out unwanted items.
- To filter assets based on issue types, select issue types from each desired factor.
Note: By default, all issues from source Scorecards are included in the Custom Scorecard.
- Click Refresh Preview to display filtered assets.
Tip: Each time you change any filters, refresh your preview again.
Note: If the Digital Footprints of the source Scorecards are large, the preview may take longer to refresh. If the source Digital Footprints include more than 1 million IPs, the preview may not display.
- When you have finished setting the filters, click Create.
A score is calibrated for your new Custom Scorecard within 72 hours after you create it. You can assign it to a Portfolio any time, and if you selected the option to publish it, the Scorecard immediately becomes publicly visible.
Note: SecurityScorecard sends you an email when your Custom Scorecard has a score.
Working with multiple criteria and filters
Multiple criteria within a filter have an AND relationship. This means that if you set multiple criteria, returned values must match ALL of your criteria.
Avoid setting multiple criteria with identical data types.
For example, if you set one criterion for matching an IP addresses, 18.104.22.168...
and add a criterion for matching a second IP address, 22.214.171.124...
you will get no results. This is because the filter essentially requires a condition that does not exist:
For identical data types, use multiple filters, which have an OR relationship to each other. This means that returned values must match ANY of your criteria. So, if you set one filter for matching one IP addresses, 126.96.36.199...
and add a filter for matching a second IP address,188.8.131.52...
you will get results:
About Custom Scorecard scoring
The scoring of a custom Scorecard is independent of its source Scorecards, and may be significantly different due to variances in the size of the Digital Footprint and other factors.
For example, a small, focused custom Scorecard may end up being scored as if it were a small business instead of part of a large international company. So, issues in the Custom Scorecard may be weighted differently than in the base Scorecard.
See a more detailed explanation of scoring factors in the SecurityScorecard Trust Portal.
IP and IP range filter behavior
If an IP or IP range is part of the filter set, the Digital Footprint of the Custom Scorecard includes or excludes:
- IP Addresses that match the filter and are part of the base Scorecard
- IPv4 Range notation, such as 0.0.0.0/0 or 184.108.40.206/24
- Domains linked to IP addresses matching the filters
This means that you will see issues on the Custom Scorecard that are directly attributed to the IPs that you include in filters, as well as issues that are attributed to domains or subdomains related to the IPs you specified.
The geography IP filter includes or excludes IPs that resolve to the country that you selected. Any domains linked to those IP addresses are also included.
Geolocation filter behavior
Geo-filtering is approximately 80 percent accurate, so using a geolocation-based filter may give inconsistent results. SecurityScorecard recommends using more specific IP or domain filters when possible.
Create a Version 3 Custom Scorecard from an older version
To enable Version 3 (v3) features for older Custom Scorecards, create a v3 copy in a few simple steps.
The v3 Scorecard includes the same data and filters as the older version but provides additional filtering and other capabilities. Also, when you create a v3 copy, you retain the older version with that version's filtering.
Note: You can edit earlier-version Custom Scorecards, but you cannot create earlier-version Scorecards. You can only create v3 Custom Scorecards.
- In the SecurityScorecard platform, select Custom Scorecards under Scorecards.
- Select the Custom Scorecard you want to migrate.
- Click Copy to Version 3.
The v3 Scorecard appears with V3 copy appended to the name and Version 3 filters. You can then edit the v3 Scorecard.
Remember to click Save Changes for the v3 Scorecard, even if you do not make any changes. Otherwise, you will lose it.
Note: By default, the option Include associated IPs and domains is enabled, but you can disable it. For v3 Custom Scorecards, this option does not include transitive assets. For example, if the Custom Scorecard includes IP 123.456.78.91, which is attributed to domain example1.com, enabling this option will cause example1.com to be included in the Custom Scorecard but not any other IPs attributed to example1.com unless you have already included them.
I have Fast Score enabled, but my custom Scorecard is not being created in real time. Why?
Currently, Fast Score is not available for Custom Scorecard.
Should I contact my vendor for domains and IP ranges or CIDR blocks that I need for a custom Scorecard?
Yes, if you want the vendor’s help to determine which domains or IP addresses are most relevant to you. In some cases a vendor creates and publishes their own custom Scorecard for a particular business unit. Sometimes a little research on which domains and subdomains you use to interact with the vendor can provide a good starting point for a custom Scorecard based on that vendor. Related IP ranges are included through dynamic attribution.
Does a Custom Scorecard take up usage slot as with followed Scorecards?
If I resolve an issue finding on a Custom Scorecard, is that same finding also resolved on the source Scorecard?
Yes. The finding has the same ID on the source and Custom Scorecards.
Can I use a Custom Scorecard to change the Digital Footprint of the source Scorecard?
No. You can only or claim, add assets, or request their removal, on the Digital Footprint for the source Scorecard.
If my Digital Footprint is missing the asset I need for my custom Scorecard, do I need to add it to my base Scorecard first?
Yes, only domains, subdomains, or IP ranges that are part of a base Scorecard are available to match one or more filters. If the asset is removed from a base Scorecard that previously matched a filter, it no longer matches the custom Scorecard and will be removed from the custom Scorecard as well.
Does a Custom Scorecard include the historic scores of its sources?
No source Scorecard history prior to the creation of the Custom Scorecard is included in that Custom Scorecard. The Custom Scorecard includes all findings that are present on the Source scorecards at the time of creation.