Great tool for cyber monitoring
What do you like best about the product?
Security Scorecard is a premier tool for cyber monitoring. The tool has great dashboards, metrics and follow-up capabilities. The customer service experience has been well too.
What do you dislike about the product?
The tool was not as user friendly as it competitors. Its for more tech heavy users. This tool isn't ideal for collaboration with other business units such as legal/contract mgmt.
What problems is the product solving and how is that benefiting you?
Security Scorecard was purchased to fill our gap in our third party risk management program. Our processes were manual and time intensive and this tool has helped automate the monitoring of our vendors.
A Good Service For Vendor Reviews
What do you like best about the product?
They provide a brief, in depth look at a company's external facing internet presence. They monitor and alert me to issues with my footprint, and they also provide a quick way for me to assess whether a vendor takes security seriously.
What do you dislike about the product?
They can be sticklers when they make a mistake. It can take multiple touch points to get them to remove an IP that isn't mine which they accidentally attributed to me.
What problems is the product solving and how is that benefiting you?
External vulnerability notifications and vendor management.
SecurityScorecard Review
What do you like best about the product?
Most of the functionalities are valuable. The atlas assessments are the part that I mostly like in this platform.
What do you dislike about the product?
Nothing special. This product is very good product for the banking related customers mostly.
What problems is the product solving and how is that benefiting you?
Most of the time handled with the application-related portfolio management and IT risk management kind of things on the securityscore card.
Provides security footprint insights and is free, but not enough features are included in the free tier
What is our primary use case?
We were asked by a customer to respond to issues raised on the platform regarding our security score.
We are using the free offering at the moment. For something that was not part of our selection, I would like to have more features available. In that context, the paid subscription is pricey for an organization of our size.
As the approach is widely automated information gathering, there is a wide gap from free to paid which makes it hard for smaller organizations to get better security awareness. There is always the notion that a breach is expensive, however, that does not mean vendors can collect anything they like in terms of pricing. It has to be reasonable.
They freshly introduced Attack Surface Index where you can search for specific software in their database. The free tier got a bunch of requests for free to get a feel of the feature. It was very nice to snoop around to find out who has which vulnerability listed or how many vulnerable exchange boxes are out there in France still running on Exchange 2013. The feature went into paid tier after a period.
How has it helped my organization?
With SecurityScorecard we gained more insight into our security footprint. The platform does very little to help with issues. Maybe that is for paid subscribers. Every so often, issues are re-surfacing and you have to re-explain everything.
Don't get me wrong, although it is not very nice to have security issues (or symptoms of such) thrown at you, it is nicer than some ransom demand.
With its automated approach, nothing is missed on the IPs your organization is related to. Still, it is extra work. We use the findings as a todo-list whenever something pops up.
In the past months, we had success at removing findings that are not our own like the Skype for business-IP hosted by Microsoft.
We had some findings regarding open ports after publishing systems on public IPs. We found out that way the firewall opens several ports for every public IP when enabled. Now we can disable these pro-active.
What is most valuable?
You can have notifications for changes in your score. It really helps to not have to come back every now and then to look score changes up.
I also like the report options in place. They could be more configurable but there will always be disagreement on reporting options.
You can also invite team members to help solve problems.
It's good for a security solution. You can protect your logins with MFA.
We use the findings as a means to keep third parties up-to-date by forwarding reports to them so they can see we are able to track every vulnerability.
What needs improvement?
There could be more information in regards to solving problems like hints on what specifically to look for.
There should be the option to split responsibility for certain areas. This would be mandatory if we want to invite external consultants to look at things together.
As mentioned above, the pricing for a paid subscription is too high for "just" a monitoring platform.
They don't fix your issues. Instead, you have to come up with a good explanation of why things are the way they are. Small teams might not have the patience to re-submit closure of issues due to the fact that the explanation for the issue is not accepted.
For how long have I used the solution?
We have been working with the service for over three years now.
What do I think about the stability of the solution?
We had no issues with stability so far. There is no high-volume traffic going on when using it. We discovered that login requires disabling the "no-tracking"-option in MS Edge Browser.
What do I think about the scalability of the solution?
It's a web-based service. There should be no issue with scalability.
How are customer service and support?
It's not the most responsive technical support so far. Most issues are not fixed in an hour. Users shouldn't expect confirmation to be there at that time. If you expect 1-3 days you are well-positioned with a no-fee service.
The response quite improved on most inquiries over the last year.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not previously use a different solution.
How was the initial setup?
The initial setup is easy. You just log in with your work email. That's it.
What about the implementation team?
I suspect that no one was tasked with security to onboard here.
As their database already has all your public outings (IT-wise) there is nothing to set up, really. Just register and claim your tenant, invite your team and your set.
Don't forget to enable MFA!
What was our ROI?
There is no ROI for a free tier. We would need to provide an explanation about paid subscriptions for just a security ticket system in the cloud.
What's my experience with pricing, setup cost, and licensing?
They already have set up for most organizations with their security footprint gathered from WHOIS, DNS, and other sources. Therefore, no setup cost would be reasonable. The pricing could be split into a lower-paid tier for smaller organizations and another higher tier for others with a more security-focused outlook. $1000 per month is more than some companies pay for their internet connections in total.
UPDATE: they have a new 400$ a month tier for starters.
They cover the complete IPv4 address space with their own sensor network.
They change their perspective on what actually impacts your score over time which you should be aware in order to get no surprises when your score drops suddenly. But that is a very transparent process with a heads-up on what to expect by the new scoring mechanism. Our score got dumped once and is now back on the same level.
A lot of the findings are open for discussion (you can claim that is not a finding within good reason). They hear you out and some of the new scorings are in answer to customer requests (as I see it - could be mistaken though).
Which other solutions did I evaluate?
We were forced (or rather, invited) to use that solution by a customer.
What other advice do I have?
Don't expect answers for closing issues right away. There are still people involved who re-check the issues for proper fixes and if your explanation for "that's no issue" is acceptable.
Resolve time improves if you state a link to sites that proof your changes like https://redirect-checker.org/ or https://httpstatus.io/.
Just like with AI, context enriches the issue for the one handling it, making it easier to speak of the same things, which is not always easy.
Look for integrations into other systems. Maybe you can tap into your XDR for Securityscorecard to get more data and have a better view of your exposure.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Enterprise IT Risk rating Tool
What do you like best about the product?
Vulnerability Report includes all aspect of Security, including application, IT Infrastructure, and signature reflecting with malware.It determines these vulnerability from outside footprinting without authenticated scan, There report shows all the information which a hacker can see from outside. Also it helps the organization to decide the partner which secures their IT properly.
What do you dislike about the product?
When there is new organization with whom you wish to have partner it takes around seven days of time to provide its risk report.
Sometime it rate higher for certificate-related vulnerability. Also some times it includes the IP misrepresentation in the report
What problems is the product solving and how is that benefiting you?
Vendor RIsk Assessment
Report easily represented in any GRC tool
SecurityScorecard - Review
What do you like best about the product?
Easy to administer domains and delivery the results to the Board
What do you dislike about the product?
price structure is a bit complicated to handle
What problems is the product solving and how is that benefiting you?
Clear picture of all external vulnerabilities for a specific domain (and all related vendors)
Good software
What do you like best about the product?
I think best feature is on scoring feature, I can compare more than one company
What do you dislike about the product?
I dislike if I must solved the issue by myself
What problems is the product solving and how is that benefiting you?
The problem I solving like close security hole was exposed on public
Good idea but badly implemented, and poorly supported
What do you like best about the product?
The idea, the chance to assess the risk level and the security posture of various competitors, business partners and service providers
What do you dislike about the product?
Some of the assessments are producing misleading reports, the grade / score appears to be arbitrary and shall not to be trusted. Client Support is terrible.
What problems is the product solving and how is that benefiting you?
Status comparison between my company and other business entities
SecurityScorecard is a good application to scoring about security on a company I think all is ok
What do you like best about the product?
I think the best have in Scoring feature, in there we can see what is vulnerability on our system or network
What do you dislike about the product?
So far I dislike if I see many vulnerability I must patching haha
What problems is the product solving and how is that benefiting you?
I patching my problems like update old software and close the port was exposed to the public
Start a conversation with score card
What do you like best about the product?
You can get a real score from many different sources within minutes, this score is updated over the time so you can get real statistics from the changes in the applications or network.
What do you dislike about the product?
If the company has not been populated before, in some cases the first discovery takes up to 7 days. A 24 hours earlier report would be a good feature
What problems is the product solving and how is that benefiting you?
I use Security Scorecard to start a conversation with my customers, the main benefit is getting more services purchased by the customer due to the to acknowledge of the failures on the network/application.
