Skip to main content

Security Scoring Algorithm

How we calculate grades from 8 weighted dimensions using transparent, evidence-based scoring.

How Scoring Works

📊

32 Sources

Data collection

📁

8 Categories

Weighted scoring

🔢

Score

0-100 points

🎯

Grade

A+ to F

8 Security Dimensions

Each dimension is weighted based on its impact on overall security risk. AI Integration Security (5%) is covered on its dedicated page.

20%
Breach History
15%
Encryption
15%
Compliance & Certifications
15%
Authentication & Access
10%
Data Privacy
10%
Incident Response
5%
Vendor Transparency
5%
Security Certifications

Dimension Details

Breach History20%

Evaluates the application's historical security incidents, breach transparency, and remediation effectiveness. Highest weight because past breaches are the strongest predictor of future incidents.

Evaluation Criteria:

  • Number of confirmed breaches (past 5 years)
  • Severity and scope of breaches (user count, data types)
  • Time to disclosure after incident
  • Quality of remediation actions taken
  • Current breach-free streak length
  • Transparency of incident reporting
  • Post-mortem analysis publication

Scoring Methodology

0 breaches = 100 points, 1 breach = 80 points, 2+ breaches = weighted penalty based on severity. Recent breaches (< 2 years) weighted more heavily. Transparent disclosure adds +5 points.

Encryption15%

Assesses encryption implementation for data at rest and in transit. Critical for protecting sensitive data from unauthorized access.

Evaluation Criteria:

  • TLS 1.3+ for data in transit
  • AES-256 or equivalent for data at rest
  • End-to-end encryption availability
  • Key management practices (rotation, storage)
  • Certificate validity and configuration
  • Perfect Forward Secrecy support
  • Encryption of database backups

Scoring Methodology

TLS 1.3 = 100 points, TLS 1.2 = 80 points, TLS 1.1 or below = 40 points. Data at rest encryption required for 80+ score. E2E encryption adds +15 points.

Compliance & Certifications15%

Evaluates third-party security certifications and compliance with regulatory frameworks. Strong indicator of mature security practices.

Evaluation Criteria:

  • SOC 2 Type II attestation (current within 1 year)
  • ISO 27001 certification
  • GDPR compliance documentation
  • HIPAA compliance (for healthcare apps)
  • FedRAMP authorization (for government apps)
  • PCI DSS compliance (for payment apps)
  • CSA STAR certification level

Scoring Methodology

SOC 2 Type II = 40 points, ISO 27001 = 30 points, GDPR = 15 points, HIPAA/FedRAMP/PCI = 10 points each, CSA STAR Level 2 = 5 points. Maximum 100 points.

Authentication & Access15%

Assesses identity and access management capabilities including SSO, MFA, and user provisioning. Critical for preventing unauthorized access.

Evaluation Criteria:

  • SSO support (SAML 2.0, OAuth 2.0, OpenID Connect)
  • Multi-factor authentication (MFA) availability
  • SCIM 2.0 provisioning for automated user management
  • Role-based access control (RBAC) granularity
  • Session management and timeout policies
  • Password strength requirements
  • Just-in-time (JIT) provisioning support

Scoring Methodology

SSO (SAML/OIDC) = 30 points, MFA required = 25 points, SCIM = 20 points, Granular RBAC = 15 points, Session mgmt = 10 points. Maximum 100 points.

Data Privacy10%

Evaluates data handling practices, retention policies, and user privacy controls. Essential for GDPR/CCPA compliance.

Evaluation Criteria:

  • Data residency options (geographic storage control)
  • Data retention and deletion policies
  • User data export capabilities (GDPR Article 20)
  • Right to be forgotten implementation (GDPR Article 17)
  • Data processing agreements (DPA) availability
  • Sub-processor transparency
  • Privacy policy clarity and completeness

Scoring Methodology

Data residency options = 25 points, GDPR export/deletion = 25 points, DPA available = 20 points, Sub-processor list = 15 points, Clear privacy policy = 15 points.

Incident Response10%

Assesses the organization's preparedness to detect, respond to, and recover from security incidents.

Evaluation Criteria:

  • Dedicated security team existence
  • Bug bounty program (HackerOne, Bugcrowd, etc.)
  • Incident notification SLA (time to notify customers)
  • Security advisory publication process
  • Post-mortem transparency
  • 24/7 security monitoring
  • Disaster recovery plan documentation

Scoring Methodology

Bug bounty program = 30 points, Security team = 25 points, Notification SLA < 72 hours = 20 points, 24/7 monitoring = 15 points, Public post-mortems = 10 points.

Vendor Transparency5%

Evaluates the vendor's willingness to share security information publicly through trust centers and documentation.

Evaluation Criteria:

  • Public trust center or security page
  • Security whitepaper availability
  • Compliance report sharing (SOC 2, ISO 27001)
  • Penetration test summary publication
  • Infrastructure security documentation
  • Third-party audit results disclosure
  • Responsiveness to security questionnaires

Scoring Methodology

Public trust center = 40 points, Security whitepaper = 25 points, Compliance reports shared = 20 points, Pentest summaries = 10 points, Quick questionnaire response = 5 points.

Security Certifications5%

Evaluates industry-specific security certifications beyond standard compliance (ISO/SOC 2). Indicates advanced security maturity.

Evaluation Criteria:

  • CSA STAR Level 2 or 3 certification
  • HITRUST CSF certification (healthcare)
  • StateRAMP authorization (state government)
  • IRAP assessment (Australian government)
  • Cyber Essentials Plus (UK)
  • TISAX (automotive industry)
  • Common Criteria EAL certification

Scoring Methodology

Industry-specific cert (HITRUST, StateRAMP, IRAP) = 40 points, CSA STAR Level 3 = 30 points, Cyber Essentials Plus = 20 points, Common Criteria = 10 points.

Scoring Formula

overall_score = Σ(dimension_score × weight)

Example Calculation

Breach History         (85 × 20%) = 17.00
Encryption             (90 × 15%) = 13.50
Compliance             (80 × 15%) = 12.00
Authentication         (85 × 15%) = 12.75
Data Privacy           (75 × 10%) =  7.50
Incident Response      (70 × 10%) =  7.00
Vendor Transparency    (80 ×  5%) =  4.00
Security Certifications(60 ×  5%) =  3.00
AI Integration Security(65 ×  5%) =  3.25
                                   -------
Overall Score80.00

Grade Thresholds

Critical: NOT Traditional Academic Grading

We use lenient percentile-based grading where 60+ = A (Top 10%), not 90+ = A.

Grade Distribution

A+
A
B+
B
C+
C
D+
D
F

Distribution of security grades across 1,698 assessed applications

A+
70+
Top 5%
A
60+
Top 10%
B+
55+
Top 15%
B
50+
Top 25%
C+
45+
Top 40%
C
40+
Average
D+
35+
Below Average
D
30+
Poor
F
0+
Critical

Interactive Calculator

Experiment with the scoring algorithm. Adjust dimension scores to see how the weighted calculation produces the overall grade.

Interactive Score Calculator

Adjust the dimension scores below to see how the weighted algorithm calculates the overall security score and letter grade. Notice how Breach History (20% weight) has more impact than other dimensions.

70
70
70
70
70
70
70
70
70
Overall Security Score
70
out of 100 points
Letter Grade
A+
Exceptional Security
Top 5%
Calculation:
Overall Score = (70 × 5%) = 3.5 + (70 × 20%) = 14.0 + (70 × 15%) = 10.5 + (70 × 15%) = 10.5 + (70 × 15%) = 10.5 + (70 × 10%) = 7.0 + (70 × 10%) = 7.0 + (70 × 5%) = 3.5 + (70 × 5%) = 3.5 = 70