What is a scoring recalibration?
We regularly recalibrate our scoring algorithm to ensure that scores accurately reflect the cybersecurity landscape. During a recalibration, we may add new issue types, retire existing ones, and adjust breach risk and threat levels based on updated risk signals.
We notify customers in advance of each recalibration and of any potential impact on scores.
When does this recalibration take effect?
This recalibration will take effect on August 20, 2026.
How will my score be impacted?
You'll see a banner at the top of the Company Overview page for each Scorecard indicating the projected impact of this recalibration.
- If your score is expected to change, the banner shows the projected increase or decrease.
- If your score is not expected to change, the banner will indicate it remains the same.
In addition to the banner, the Issues table includes a Recalibrated impact column that shows each issue's post-recalibration impact.
If you have any questions about how this recalibration affects your Scorecard, please reach out to our Support team or your Customer Success Manager.
What is changing on August 20, 2026?
The following table summarizes the changes to threat levels and breach risk for 4 specific issue types affected by this recalibration.
| Issue Type | Threat level change | Breach risk change | Impact | Reason for change |
|
Server with Expired Certificate Contacted (communication_server_with_expired_cert) |
INFO โ Low | Low โ Low | ๐ Increase | An expired certificate means the encryption protecting data exchanged between the browser and the website is no longer valid. |
|
Tor Traffic Detected (tor_traffic_detected) |
INFO โ Low | INFO โ Low | ๐ Increase | This inbound Tor traffic can expose your network's IP address to the Tor entry node, and it correlates strongly with breaches. |
|
UPnP Accessible (upnp_accessible) |
INFO โ Medium | High โ Medium | ๐Decrease | UPnP is not inherently a misconfiguration. When it is limited to only the systems that require it and backed by proper controls, the risk is moderate. |
|
Outdated Web Browser Observed (outdated_browser) |
Medium โ Low | Medium โ Low | ๐Decrease | This finding is derived from probabilistic sources, so as privacy practices improve, it becomes less definitive. |
Recommendations
The following section provides recommendations for each issue type.
Server with Expired Certificate Contacted
Avoid using a service on a website with an expired certificate. If possible, ask the website owner to renew the expired certificate, especially if it is critical to your business.
Tor Traffic Detected
If TOR traffic is detected on your network, itโs important to investigate its source and purpose. While TOR can be used for legitimate privacy reasons, it can also be associated with malicious activities. Begin by identifying the device or user responsible for the TOR connection and assessing whether it aligns with legitimate business or personal needs. If there are no valid reasons for its use, consider blocking or restricting access to TOR within your network to mitigate potential security risks. Additionally, monitor network traffic closely for any signs of unusual or suspicious behavior and maintain up-to-date security measures to safeguard your network from potential threats associated with TOR usage
UPnP Accessible
Review the business need of exposing UPnP-enabled devices. Hide them behind a firewall, or make them accessible only on an intranet.
Outdated Web Browser Observed
Update the web browsers in question. Enable automatic updates if available from your web browser vendor and permitted in your environment.
Frequently Asked Questions
Q1. Why do scoring recalibrations happen?
- To ensure scores accurately reflect the dynamic elements of the cybersecurity landscape.
- To normalize scoring between organizations of different sizes, with differing digital footprints.
Q2. Where can I see the projected impact of the recalibration?
- A banner appears at the top of both the Company Overview and Issues pages for each Scorecard, showing what your score will be after the recalibration.
- This projected score is a snapshot in time and may change as issues are detected or remediated, just like your current score.
Q3. How can I improve my score ahead of the recalibration?
- Scores can be improved the same way they do today - by remediating detected issues.
- Only issues present on your scorecard at the time of the recalibration will be considered.
Q4. Why is my score projected to drop even though I have the same number of issues?
- During a recalibration, the breach risk or weight of certain issue types may change. Even if the total number of issues stays the same, changes in how those issues are weighted can impact your score.
Q5. Why are these issue types changing now?
- The score impact, threat level, and breach risk for certain issue types have been updated to better reflect their correlation with breach, based on current data. These correlations change over time as the cybersecurity landscape evolves.
- Score impact also varies by organization. Factors such as company size, digital footprint, and affected assets influence how changes to an issue type affect your overall score.
Q6. Are any new issue types being added as a part of this recalibration?
- No. This recalibration does not introduce any new issue types.
Q7. Does this recalibration change how issues and findings are scanned or detected?
- No, recalibration does not impact scanning cadence or issue detection.
Q8. Why does the downloaded report show higher-impact issue types that aren't listed as changed?
The issue types listed in the table above are the only ones whose defined impact level changed as part of this recalibration. For these issue types, each occurrence will decrease the score either more (increasing impact) or less (decreasing impact) than before, regardless of digital footprint, organizational size, or the presence of other issues.
However, SecurityScorecard scoring is not based only on fixed impact levels. Your score is also influenced by how your organization compares with similar organizations (your peer cohort), which are grouped by size and digital footprint.
During a recalibration, we:
- Reevaluate peer cohort groupings
- Reassess how common each issue type is within those cohorts
Because scoring is partly based on relative comparisons, an individual issue's score contribution can change even when the inherent impact of that issue type remains unchanged.
For example:
If your organization has grown or reduced its digital footprint since the previous recalibration, you may now be compared against a different peer group.
If the overall distribution of a specific issue type changes within your cohort, its relative scoring may increase or decrease.
If you have more of a specific issue than your peers, it may contribute more strongly to your score.
If you have fewer than your peers, it may contribute less.
Q9. I have more questions - where can I get answers?
- We value your feedback! If you have questions about this recalibration or how it affects your Scorecard, contact Support or your Customer Success Manager.
Resources
For details on how our scoring works, see our Scoring Methodology Whitepaper.