Can't find the answer you're looking for? Our Denver-based team is always happy to help — reach us at contact page or email [email protected].
About Cybersecurityratings.com, our team, and what we do
Cybersecurityratings.com is a Denver, Colorado-based cybersecurity ratings and consulting platform founded in 2019. We exist to close the security intelligence gap between large enterprises — who've always had access to sophisticated, data-driven security tools — and the small and mid-size businesses that make up the backbone of the American economy.
Our core product is an objective, continuously updated A–F security grade generated from 250+ external data points across six weighted risk categories. Unlike a one-time audit, our ratings refresh automatically — so you always know where you stand without scheduling anything or giving anyone access to your systems.
We pair that rating data with five consulting services — Security Audits, Compliance Consulting (SOC 2, HIPAA, PCI-DSS, NIST, and more), Incident Response Planning, Security Architecture Review, and ongoing Remediation Support — all delivered by our US-based, certified team. The rating tells you what's wrong; our consultants help you fix it.
Who we serve: Healthcare organizations navigating HIPAA, financial firms facing PCI-DSS, SaaS companies needing SOC 2, manufacturers protecting OT systems, legal firms guarding client data, and any US business that wants an objective measure of their security — all 50 states, all industries, any size.
Cybersecurity ratings are used by a wide range of professionals and organizations, including:
We are headquartered in Denver, Colorado, with our team available Monday through Friday, 8 AM to 6 PM Mountain Time. Our analysts and consultants are all US-based — we do not offshore any analysis or client work. We serve organizations across all 50 US states and can conduct on-site engagements anywhere in the country, thanks to Denver's excellent connectivity to every major US city via Denver International Airport.
We combine three things that are typically separate: objective ratings data, expert human review, and hands-on remediation consulting.
We work with organizations of all sizes — from 5-person startups to multi-thousand-person enterprises. Our platform and pricing is designed to scale: individual business owners use our free assessment to understand their exposure, growing companies use our Professional and Business plans for continuous monitoring, and large enterprises use our API and white-label capabilities to embed ratings across their vendor management programs. Our consulting services are available to any organization, with engagement scopes and pricing tailored to match your size and complexity.
Founded in 2019 by former enterprise security executives, we've grown from a two-person startup in Denver to a full-service ratings and consulting platform serving hundreds of US organizations. Here are some milestones we're proud of:
Zero breaches among clients who maintain a B+ or higher rating with continuous monitoring over the past 3 years — our most meaningful metric.
We serve eight industries with deep, sector-specific expertise. Our methodology, compliance frameworks, and benchmark data are all calibrated to the unique risk landscape and regulatory requirements of each:
Yes. We work with state and local government agencies, federal contractors, and organizations pursuing federal certifications. Key areas we cover for this sector include:
Essential for defense contractors handling Controlled Unclassified Information (CUI) under DoD contracts.
For federal agencies and contractors subject to the Federal Information Security Modernization Act.
We monitor the CISA Known Exploited Vulnerabilities catalog and flag any matches against your rated infrastructure.
Rate your technology suppliers and contractors before onboarding to meet federal supply chain security requirements.
Note on FedRAMP: We can help you assess your readiness and close gaps before a formal FedRAMP authorization process, but we are not a FedRAMP-authorized Third Party Assessment Organization (3PAO) for the authorization itself.
Our analysts and consultants are certified security professionals, not generalists. We require all team members to maintain active certifications and complete a minimum of 40 hours of continuing education annually. Current team certifications include:
Our leadership team includes a former CISO of two Fortune 500 companies, a former US defense contractor security engineer, a Big 4 cybersecurity practice lead, and an NSA-trained threat intelligence specialist. Full bios are available on our About Us page.
The best first step for any new organization is our free security assessment — it takes 2 minutes to request, requires no system access, and delivers a full report within 48 hours at no cost. Here's the full process:
Yes — our partner program is designed specifically for Managed Service Providers (MSPs), cybersecurity consultants, and IT service firms who want to deliver branded security ratings to their clients as part of their service offering. There are three partner tiers:
To learn more or apply, visit our Partner Program page or email [email protected].
We have deep respect for platforms like BitSight and SecurityScorecard — they pioneered the space and serve large enterprise needs well. Here's how we're genuinely different:
| Feature | Us | BitSight / SSC |
|---|---|---|
| Human analyst review on every report | ✓ Yes | ✗ Automated only |
| Consulting & remediation services | ✓ Included | ✗ Not offered |
| US-focused methodology & benchmarks | ✓ US-specific | Global / generic |
| Free assessment option | ✓ Full report free | ✗ Paid only |
| SMB-accessible pricing | ✓ From $199/mo | $2,000+/mo typical |
| US-based support team | ✓ Denver, CO | Mixed / offshore |
If you're a 10,000-person enterprise with a dedicated security team and a seven-figure tools budget, BitSight or SecurityScorecard may be the right fit. If you're a growing US business that wants objective ratings, actionable insights, and expert humans available to help — we're built for you.
How scores are calculated, updated, and used
Ratings are calculated from 250+ external data points across six weighted categories:
All data is collected externally without any system access. Every automated finding is reviewed by a certified analyst to remove false positives before contributing to the final score. Scores range from 0–100 and map to letter grades: A (90–100), B (80–89), C (70–79), D (60–69), F (below 60).
No — never. All of our rating data is collected entirely from publicly visible, external signals. We analyze what the open internet can observe about your organization: open ports, SSL/TLS configuration, DNS records, email authentication settings, software version signals, and dark web credential databases. We never require login credentials, VPN access, software agents, firewall rule changes, or any form of privileged access to your network. This makes our assessments completely non-intrusive and safe to request without involving your IT team.
Update frequency varies by category and subscription plan. For paid subscribers, most categories are refreshed daily or in real time:
Free assessments are point-in-time snapshots. Continuous monitoring requires a paid subscription.
Some improvements are near-instant. Configuring a missing DMARC record or renewing an expired SSL certificate can raise your score within 24–48 hours of the fix being deployed. More complex improvements like patching vulnerable software, closing exposed ports, or remediating application vulnerabilities take longer depending on your environment. Clients who engage our remediation consulting service typically see a full letter grade improvement within 30–60 days. We track every client's score trajectory so you can see the measurable impact of each fix in real time.
Yes. All paid subscribers have access to a formal dispute process. If you believe a finding in your report is a false positive or has already been remediated, you can submit evidence through your account dashboard. Our analyst team reviews every dispute within 3–5 business days and updates your score if the evidence supports it. We take accuracy seriously and welcome corrections — they help us improve data quality for everyone. Free assessment users can flag concerns by emailing our support team.
These are complementary but very different tools:
Many organizations use all three: continuous ratings for monitoring, periodic pen tests for deep validation, and vulnerability scans as part of their patching workflow.
Basic rating summaries — letter grade and industry tier — are available to premium subscribers who look up organizations in our database for legitimate due diligence purposes (e.g., evaluating a vendor or supplier). Full reports with detailed vulnerability findings are never publicly accessible. They are only delivered to the rated organization or authorized subscribers with a documented permissible purpose. Your specific vulnerability details are always confidential. You control whether to voluntarily share your rating badge with clients or prospects.
Data sources, scoring detail, benchmarks, and comparisons
Each category analyzes specific technical signals from your publicly observable infrastructure. Here's what's included in each:
False positive management is one of the key reasons we invest in human analyst review for every assessment. Our process has three layers of false positive protection:
Our false positive rate is under 3% across all categories — compared to industry averages of 15–25% for purely automated scanners. The analyst layer is the key difference.
We aggregate data from five categories of sources to build each rating:
Your report shows how your security score compares to the aggregate scores of other rated organizations in your industry. Here's how we calculate it:
Pro tip: Even a C-grade organization can be in the top 30% of their sector if the industry average is low (like manufacturing at D, or education at D-). Your report contextualizes your score within your actual competitive landscape, not an idealized standard.
The free assessment gives you a complete, full-detail snapshot of your security posture — it's genuinely useful on its own. Paid subscriptions add continuous monitoring and additional capabilities:
| Feature | Free | Professional | Business |
|---|---|---|---|
| A–F letter grade report | ✓ | ✓ | ✓ |
| Top 10 vulnerability list | ✓ | ✓ | ✓ |
| Industry benchmark comparison | ✓ | ✓ | ✓ |
| 30-min analyst review call | ✓ | ✓ | ✓ |
| Continuous monitoring | ✗ One-time | ✓ Daily | ✓ Real-time |
| Score change alerts | ✗ | ✓ Email + Webhook | |
| API access | ✗ | ✗ | ✓ |
| Dispute process | Email only | ✓ Dashboard | ✓ Priority |
View full plan details and pricing on our Pricing page.
Yes — multi-domain monitoring is a core use case for our Business and Enterprise plans. There are three common ways organizations use multi-domain support:
Different fixes have very different score impacts. Here are the highest-ROI improvements, ranked by typical score gain and implementation effort:
Your specific report will prioritize the fixes most impactful for your exact score. Our remediation consulting service is available if you need hands-on help implementing any of these changes.
Engagements, process, and what to expect
We offer five core consulting services, all delivered by our certified Denver-based team:
Timelines vary by service type and organization size. Typical durations:
Once you approve a proposal, your dedicated consultant is typically assigned and work begins within 5–7 business days.
Both. The majority of our consulting work is conducted remotely and works perfectly well that way — most security assessments and compliance reviews don't require physical presence. However, for clients who prefer on-site engagements, or for specific services like physical security components or large tabletop exercises, our team can travel to your location anywhere in the US. On-site visits are priced separately based on location and duration. Contact us to discuss what's right for your engagement.
Our consulting team holds active certifications including:
We require all consultants to maintain active certifications and complete a minimum number of continuing education credits annually. Certifications are verified before any client engagement begins.
Absolutely. We offer a free 30-minute discovery call with a senior consultant before any engagement begins. During this call we'll discuss your security situation, goals, and compliance requirements — and recommend the right service or combination of services. There's no obligation to proceed. If we're not the right fit, we'll tell you honestly. You can request your free consultation via our Consulting Services page.
Plans, payments, and subscription details
We offer three subscription tiers for continuous monitoring, plus standalone consulting engagements:
Yes — we offer a free security assessment that delivers a full rating report (letter grade, top 10 vulnerabilities, industry benchmark, and remediation roadmap) with no credit card required and no subscription needed. This is a genuine point-in-time assessment, not a teaser. For paid plans, we offer a 14-day free trial on Professional and Business tiers so you can experience continuous monitoring before committing. Enterprise trials are available by request.
Yes. Professional and Business plans are month-to-month with no long-term contract required. You can cancel at any time from your account settings and your subscription will remain active through the end of the current billing period — no prorated refunds for partial months. Annual plans are prepaid for the full year at a discounted rate and are non-refundable after 30 days. Enterprise agreements are governed by individual contracts — speak with your account manager for details.
Yes to both. Annual billing saves 20% compared to monthly rates across all plans. We also offer a 30% discount for verified 501(c)(3) nonprofits, K-12 schools, and public universities — contact our team to apply. Multi-domain and bulk discounts are available for organizations monitoring more than 25 domains; reach out to discuss custom Enterprise pricing. Partner resellers earn a recurring commission on every client they bring aboard — see our Partner Program page for details.
Integration, developer questions, and technical capabilities
API access is available on Business and Enterprise plans. The Professional plan does not include API access. Business plan users receive up to 10,000 API requests per month with a batch size of 100 domains and webhook support. Enterprise users receive unlimited API requests, a batch size of up to 1,000 domains, dedicated rate limits, and a 99.9% SLA guarantee. Full API documentation is available on our API Documentation page.
Yes. Business and Enterprise plan subscribers, as well as Growth and Elite tier partners, can deliver rating reports branded with their own company logo, colors, and domain. Clients receive reports that appear to come from your brand — with our engine working silently behind the scenes. White-label PDF reports, white-label dashboard links, and white-label email notifications are all supported. MSPs and cybersecurity consultants commonly use this feature to add branded security reporting to their service offering.
We maintain official open-source SDKs for four languages, all available on GitHub under the MIT license:
Our REST API can be called from any language that can make HTTPS requests. See the API docs for full reference.
Yes. Business and Enterprise plan subscribers can set up monitoring alerts on any rated domain — including vendors and suppliers you don't own. You configure alert thresholds (e.g., score drops more than 10 points, a new critical vulnerability is detected, or the letter grade changes) and choose delivery via email, webhook, or API. This is especially useful for vendor risk management programs where you need to be notified automatically when a key supplier's security deteriorates.
How we protect your data and our own security posture
All assessment data — including your detailed vulnerability findings — is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to your report is restricted to your account users only and is never shared with third parties. Our platform infrastructure is hosted in US-based data centers with SOC 2 Type II certification. We conduct annual penetration tests on our own platform and continuously monitor our own security rating — we practice exactly what we preach. Full details are available in our Privacy Policy and Security Whitepaper.
No. We never sell your data or share your detailed assessment findings with any third party. Period. Your vulnerability details, scores, and report data are yours alone. The only rating information that may be visible to other subscribers is a basic summary — letter grade and industry tier — and only when another subscriber has a legitimate permissible purpose (such as a buyer conducting vendor due diligence on your organization). You can opt your organization out of the public directory by contacting our support team.
We maintain an A-grade rating on our own platform — and we're transparent about it. We believe it would be hypocritical to ask clients to trust our security ratings if we didn't rigorously apply the same standards to ourselves. Our own domain is monitored continuously, we conduct an annual third-party penetration test, and our team reviews our internal security controls quarterly. If you'd like to see our current rating summary, contact us and we'll share it directly.
Our platform is primarily focused on US businesses, but we comply with both GDPR and CCPA where applicable. For California-based users, you have the right to request access to, correction of, or deletion of your personal data at any time. For EU-based users, we process personal data in accordance with GDPR — our legal basis for processing is either contract performance or legitimate interest for the security analysis. Our Data Processing Agreement (DPA) is available to Enterprise customers upon request. Contact [email protected] for any privacy-related inquiries.
Schedule a 30-minute call with a security expert to get your questions answered live.
Schedule NowStart with a free assessment — no credit card, no system access, results in 48 hours. Join 500+ US businesses that know exactly where they stand.