What is a scoring recalibration?
We regularly recalibrate or adjust our scoring algorithm to ensure scores accurately reflect the cybersecurity landscape. During a recalibration, we may add new issue types, retire existing ones, and adjust breach risk and threat levels based on updated risk signals.
We notify customers in advance of each recalibration and of any potential score impacts.
When did this recalibration take effect?
This recalibration took effect on October 21, 2025.
How will my score be impacted?
You'll see a banner at the top of the Issues page for each Scorecard indicating the projected impact of this recalibration.
- If your score is expected to change, the banner shows the projected increase or decrease.
- If your score is not expected to change, the banner indicates that your score is expected to remain the same.
If you have any questions about how this recalibration affects your Scorecard, please reach out to our Support team or your Customer Success Manager.
What changed on October 21, 2025?
The following table summarizes the changes to threat levels and breach risk for 10 specific issue types affected by this recalibration.
| Issue type | Current threat level | New threat level | Current breach risk | New breach risk | Impact |
| TLS Service Supports Weak Cipher Suite | Medium | Medium | Low | Medium | 📈 Increase |
| Unsafe Implementation of Subresource Integrity | Info |
High |
Low |
High |
📈 Increase |
| Low-Severity CVSS v3.0 Vulnerability Patching Cadence | Low |
Info |
Low |
Info |
📉 Decrease |
Low Severity CVEs Patching Cadence |
Low |
Info |
Low |
Info |
📉 Decrease |
Medium-Severity CVSS v3.0 Vulnerability Patching Cadence |
Medium |
Info |
Low |
Info |
📉 Decrease |
Medium Severity CVEs Patching Cadence |
Medium |
Info |
Low |
Info |
📉 Decrease |
High-Severity CVSS v3.0 Vulnerability Patching Cadence |
High |
Info |
Low |
Info |
📉 Decrease |
High Severity CVEs Patching Cadence |
High |
Info |
Low |
Info |
📉 Decrease |
SPF Record Contains a Softfail without DMARC |
Low |
Info |
Medium |
Info |
📉 Decrease |
SPF Record Missing |
Medium |
Low |
Medium |
Low |
📉 Decrease |
Frequently Asked Questions
Q1. Why do scoring recalibrations happen?
- To ensure scores accurately reflect the dynamic elements of the cybersecurity landscape.
- To normalize scoring between organizations of different sizes, with differing digital footprints.
Q2. Where can I see the projected impact of the recalibration?
- A banner appears at the top of the Issues page for each Scorecard showing what your score will be after the recalibration.
- This projected score is a snapshot in time and may change as issues are detected or remediated, just like your current score.
Q3. How can I improve my score ahead of the recalibration?
- Scores can be improved the same way they do today - by remediating detected issues.
- Only issues present on your scorecard at the time of the recalibration will be considered.
Q4. Why is my score projected to drop even though I have the same number of issues?
- During a recalibration, the breach risk or weight of certain issue types may change. Even if the total number of issues stays the same, changes in how those issues are weighted can impact your score.
Q5. Why are these issue types changing now?
- The score impact, threat level, and breach risk for certain issue types have been updated to better reflect their correlation with breach, based on current data. These correlations change over time as the cybersecurity landscape evolves.
- Score impact also varies by organization. Factors such as company size, digital footprint, and affected assets influence how changes to an issue type affect your overall score.
Q6. Are any new issue types being added as a part of this recalibration?
- No. This recalibration does not introduce any new issue types.
Q7. Does this recalibration change how issues and findings are scanned or detected?
- No, recalibration does not impact scanning cadence or issue detection.
Q8. I have the issue type TLS Service Supports Weak Cipher Suite, and I would like to remediate it. How do I know which cipher suites are flagged as "weak"?
- You can see a list of cipher suites that trigger this issue type here.
Q9. Why does the downloaded report show higher-impact issue types that aren't listed as changed?
- The issue types listed in the table above are the only ones explicitly changing in impact as part of this recalibration. For these issue types, each occurrence will decrease the score either more (increasing impact) or less (decreasing impact) than before, regardless of digital footprint, organizational size, or the presence of other issues.
- Other issue types may still show small impact changes due to the overall recalibration of the scoring model, which adjusts how issues are weighted across organizations of different sizes and digital footprints.
- This recalibration step can result in small impact changes for any issue type (except those with no score impact).
Q10. I have more questions - where can I get answers?
- We value your feedback! If you have questions about this recalibration or how it affects your Scorecard, contact Support or your Customer Success Manager.
Resources
For details on how our scoring works, see our Scoring Methodology Whitepaper.