Custom Scorecards are available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
When your organization's Scorecard includes a large set of related domains and IPs, it can be challenging to analyze in its entirety. A custom Scorecard solves this by allowing you to define a specific, focused subset of those digital assets.
You can base a custom Scorecard on your own organization's Scorecard or on another organization's, such as a vendor's. Using a set of filters, you can include or exclude source Scorecard assets based on criteria such as business units, service lines, geographies, or cloud assets.
A custom Scorecard functions exactly like any standard Scorecard, but it is limited to the specific set of digital assets you define.
Custom Scorecard use cases
The flexibility of filtering assets enables you to tailor Scorecards to different needs. Below are example use cases for custom scorecards.
Use case #1: Enterprise cyber-risk management (focused self-monitoring)
Scenario: Your organization needs to focus monitoring on a particular business unit, region, facility, or any other organizational grouping.
Benefit:
- Security for each focus area is managed by a different person internally.
- Creating custom scorecards helps your company fix issues faster by allowing you to assign tasks quickly to the correct point of contact.
- Different organizational units can focus on a smaller set of issues that they control.
How to implement:
- Include or exclude domains or IPs to define the focus of the Scorecard you want to monitor.
-
Add the custom Scorecard to Portfolios for continuous monitoring.
Note: The scoring on the custom Scorecard is not related to the company-based Scorecard
Third-party monitoring
Scenario: Your organization wants to monitor a portion of a vendor’s very large Scorecard, for example, their customer cloud business.
Benefit: You can focus on a specific, higher-risk area of the vendor scorecard, such as riskier websites and assets, or on specific domains or IP ranges, rather than the vendor's entire digital footprint.
How to implement it: Identify and filter for the correct asset subsets to evaluate.
Understand custom Scorecard scoring
The scoring of a custom Scorecard is independent of its source Scorecards and may differ significantly due to variances in Digital Footprint size and other factors.
For example, a small, focused custom Scorecard may be scored as if it were a small business rather than part of a large international company. As a result, issues in the custom Scorecard may be weighted differently than in the base Scorecard.
For a more detailed explanation of scoring factors, visit our SecurityScorecard Trust Portal.
See the FAQ for more information about how issues and Digital Footprints work on custom and source Scorecards, respectively.
IP and IP range filter behavior
If an IP or IP range is part of your filter set, the Digital Footprint of the Custom Scorecard includes or excludes:
- IP Addresses that match the filter and are part of the base Scorecard.
- IPv4 Range notation, such as 0.0.0.0/0 or 123.123.123.123/24.
- Domains linked to IP addresses matching the filters.
This means you will see issues on the custom Scorecard directly attributed to the IPs you include in filters, as well as issues attributed to domains or subdomains related to those IPs.
Geolocation filter behavior
The geography IP filter includes or excludes IPs that resolve to the country that you selected. Any domains linked to those IP addresses are also included.
Geo-filtering is approximately 80 percent accurate, so using a geolocation-based filter may give inconsistent results. SecurityScorecard recommends using more specific IP or domain filters when possible.
Step 1: Get started
To get started, go to My Organization > Custom Scorecards and select New Custom Scorecard.
You can also open a Scorecard you want to use as a source, and then select Custom Scorecard.
Enter a name and, optionally, an industry and description.
Step 2: Set access and permissions
Select whether you want to modify the Scorecard settings and filters exclusively or if you want to share those permissions with specific individuals or the broader team.
Individual collaborators (internal and external)
You can grant specific access to individual users, regardless of whether they are part of your organization or external.
- Enter the names of any collaborators you wish to add to the scorecard and set their access level.
- Collaborators can be members of your organization or external users.
- Both internal and external collaborators can be granted Can edit access.
Broader group access
In addition to individual collaborators, you can set access levels for entire groups using the permissions fields.
-
Anyone in the same org (organization members)
Set the access level for all members of your organization. The available options are Can edit, Can view, and Private. -
Anyone else (external users)
Set view access for members outside of your organization. The available options are Can view and No access.Note: If you give view access, everyone with a SecurityScorecard account will have access to view the scorecard.
Step 3: Select a source Scorecard
First, select the source Scorecard(s) for your custom Scorecard. A source can be any Scorecard generated by SecurityScorecard.
Once selected, you can use filters to create specific segments that allow you to focus your analysis.
Notes:
- You only can publish a custom Scorecard sourced from your own organization's Scorecard.
- You cannot publish a custom Scorecard based on multiple sources.
Step 4: Configure filters and logic
Use filters to create the exact segments that you want to focus on within your source Scorecard data.
Understand filter logic
Filters rely on two levels of logic. Knowing the difference helps you get accurate results.
Logic within a single filter (AND)
A single filter is made up of one or more criteria (for example, domain, geo location, ip address).)
All criteria within a single filter must be true at the same time(an AND relationship) for results to be included.
Example: A filter specifyingexample.comAND the geo locationuswill only include IP addresses that match both criteria.
Note: Do not add multiple criteria of the same data type, like two different IP addresses, within a single filter. Since the logic is AND, you’d be asking the system to match two IPs at once, which is impossible, so no results appear.
Logic between multiple filters (OR)
If you create more than one filter in a custom Scorecard, each filter has an OR relationship to the others. This means that results matching any one of the filters will be included in the Scorecard.
You can use this for matching multiple values of the same type, such as two different IP addresses. Instead of putting two IPs in the same filter, create a filter for each IP. The first filter matches2.192.0.6OR the second filter matches185.53.177.20. Using OR logic will produce results.
Choosing filter criteria
Build each filter from a set of criteria, all of which must match for that filter to return results. For example, if a filter specifies the domain example.com and the geo location us (United States), the results will only include IPs that match both criteria.
You can build filters using the following criteria types:
- IP, IP range, CIDR(s)
- Domain/subdomain
- Geo location
- Custom tags
Once you configure your filters, the platform searches the Digital Footprints of the source Scorecards and includes any matching assets in the custom Scorecard.
Tips when building filters
- Inputting items: Type each value and then press RETURN or ENTER before typing the next one.
-
Geo location codes: For locations, use International Organization for Standardization (ISO) two-letter country codes. For example,
usforUnited States. -
Wildcards: Use wildcards (*) to specify domains. A wildcard such as
*.company.comautomatically includescompany.com.
Including associated IPs or domains
You can select whether to include associated IPs or domains for the filter. This option expands your result set, but its specific behavior depends on the criteria type used in the filter.
For example, if your criteria specifies a set of IP addresses, the custom Scorecard will then include the associated domain and all other IPs attributed to that domain.
The table below details how the Include associated domain option works for each criterion type.
| Criterion | Associated asset option |
| IP | Only associated domains apply. |
| Domain | Only associated IPs apply. |
| Geo-location | Only associated domains apply. |
| Custom tags only assigned to domains |
Selecting associated IPs includes IPs in the results. Selecting associated domains includes the registered domain and subdomains in the results. |
| Custom tags only assigned to IPs |
Selecting associated IPs does not provide any results. Selecting associated domains includes the registered domain and subdomains in the results. |
| Custom tags assigned to domains or IPs |
Selecting associated IPs includes the IPs in the results. Selecting associated domains includes the registered domain and subdomains in the results. |
Excluding items
You can globally exclude assets regardless of other filters. These exclusions override all filter logic.
Filter by issue types
This layer controls which issues from the source Scorecards are included. By default, all issues from source Scorecards are included in the custom Scorecard.
Preview and create
Select Refresh Preview at the bottom of the page to display filtered assets.
Tip: Each time you change any filters, refresh your preview again.
If the Digital Footprints of the source Scorecards are large, the preview may take longer to refresh. If the source Digital Footprints include more than 1 million IPs, the preview may not display.
When you have finished setting the filters, click Create.
A score is calibrated for your new custom Scorecard within 1 hour of creation. The exceptions are when the source Scorecard has more than 100,000 assets or when the custom Scorecard has tags. You can assign it to a Portfolio at any time, and if you selected the option to publish it, the Scorecard will immediately become publicly visible.
Note: SecurityScorecard sends you an email when your custom Scorecard has a score.
Custom Scorecard processing time
Custom Scorecards typically process within 1 hour, with a few important exceptions.
Processed within 1 hour
The score for a custom Scorecard will be generated or updated within one hour in the following cases:
- Newly created custom Scorecards
- Updates to an existing custom Scorecard when:
- The number of measurements changes
- The filters or recipe are updated
Not processed within 1 hour
The following updates do not qualify for 1-hour processing and may take up to 72 hours (3 days):
- Score changes due to remediations
- Custom Scorecards with tags
- Large custom Scorecards (such as those with Microsoft- or Google-sized Digital Footprints)
- Digital Footprint changes, including:
- Age-outs
- Auto-Resolution
- Addition of new issue types
FAQ
Q. I have Fast Score enabled, but my custom Scorecard is not being created in real time. Why?
Currently, Fast Score is not available for custom Scorecards.
Q. Should I contact my vendor for domains and IP ranges or CIDR blocks that I need for a custom Scorecard?
Yes, if you want the vendor’s help to determine which domains or IP addresses are most relevant to you. In some cases, a vendor creates and publishes their own custom Scorecard for a particular business unit. Researching which domains and subdomains you use to interact with the vendor can provide a good starting point for a custom Scorecard based on that vendor. Related IP ranges are included through dynamic attribution.
Q. Does a Custom Scorecard take up a usage slot as it does with following a Scorecard?
Yes.
Q. If I resolve an issue finding on a custom Scorecard, is that same finding also resolved on the source Scorecard?
Yes. The finding has the same ID on the source and custom Scorecards.
Q. Can I use a custom Scorecard to change the Digital Footprint of the source Scorecard?
No. You can only claim, add assets, or request their removal on the Digital Footprint for the source Scorecard.
Q. If my Digital Footprint is missing the asset I need for my custom Scorecard, do I need to add it to my base Scorecard first?
Yes, only domains, subdomains, or IP ranges that are part of a base Scorecard are available to match one or more filters. If the asset is removed from a base Scorecard that previously matched a filter, it no longer matches the custom Scorecard and will be removed from it as well.
Q. Does a custom Scorecard include the historic scores of its sources?
Source Scorecard history prior to the creation of the Custom Scorecard is not included in that custom Scorecard. It includes only findings present on the source Scorecards at the time of creation.
Q. Where can I see who changed filters for a specific custom Scorecard?
You can view this information from the Audit Log. Go to My Organization > Custom Scorecards to view all of the custom Scorecards you are monitoring. Select the menu icon (...) for the scorecard and choose Show History to see all changes.
Q. How can I manage multiple custom scorecards associated with my company account?
You can view all of the custom Scorecards you are monitoring by going to My Organization > Custom Scorecards. Here, you can monitor all your existing custom Scorecards. By selecting multiple Scorecards, you can perform the following bulk actions:
- Delete the selected Scorecards.
- Add the selected Scorecards to a Portfolio.
- Share the selected Scorecards with others.