Security DataPoint (SDP) provides a quantitative, externally-derived cybersecurity posture score for publicly traded U.S. companies — built for investors, insurers, and risk professionals who need a consistent, comparable benchmark.
SDP evaluates a company's cybersecurity posture using only information observable from the public internet — the same information available to any third party. We do not perform penetration testing, attempt to access protected systems, or rely on self-reported questionnaires.
Our data collection relies on two complementary approaches. The first uses standard internet protocols — including DNS, HTTP/HTTPS, SMTP, and TCP service checks — to observe an organization's externally facing infrastructure. These checks range from passive observation, such as reading public DNS records, to active probes, such as testing whether a service responds on a given port. All interactions use protocols as designed and are non-exploitative and non-destructive. The second draws on structured public disclosures that organizations make about themselves, including regulatory filings, published job listings, and corporate web presence. These are documents and statements the organization itself has chosen to make publicly available.
The result is an objective, outside-in assessment designed for comparability. Every company in our coverage universe is assessed with the same methodology, on the same scale, at regular intervals.
Each company's score is produced through a four-stage process applied consistently across our entire coverage universe.
We identify an organization's internet-facing assets — domains, hosts, mail infrastructure, and web properties — using publicly available records.
Over a hundred and fifty discrete signals are collected across technical, procedural, and organizational dimensions — drawn from both infrastructure observation and public disclosures.
Related signals are consolidated into scored findings, each weighted on a standardized scale and adjusted relative to the organization's footprint size.
Findings roll up into sub-categories, categories, and a single normalized score (0–100).
Individual findings are scored on a standardized scale and adjusted relative to the size and complexity of the organization's internet-facing footprint. This adjustment works in both directions: it accounts for the fact that larger, more complex infrastructures naturally present a broader surface, while also recognizing that smaller footprints with concentrated issues may reflect proportionally higher risk. The goal is a fair comparison across organizations of different sizes, not an advantage or disadvantage for any particular scale of operation.
Our methodology distinguishes between two types of findings. The first type is a definitive detection — something is either present or it is not, and the determination is conclusive from the outside. A security.txt file is either published or it isn't. An SPF record is either configured or it isn't. For findings like these, the presence or absence itself is the finding.
The second type involves organizational and programmatic indicators — such as evidence of dedicated security leadership, investment in security tooling, or a formal vulnerability management program. For these, SDP does not claim to know whether an organization has such a program in place internally. What we assess is whether the organization's public disclosures and footprint provide stakeholders with the ability to verify it.
When that verification is not possible, a modest deduction is applied — not as an inference about the organization's internal capabilities, but as a reflection of the transparency available to external stakeholders. This reflects a broadly held view in the security community that disclosure and communication are components of a mature security program. The deduction is intentionally smaller than the weight given to confirmed technical findings, and organizations that wish to make additional information discoverable may do so through our profile claim process.
SDP identifies and attributes infrastructure to assessed organizations through two independent discovery methods based on the nature of the organization's relationship to the underlying network resources.
SDP enumerates domains and subdomains associated with the assessed organization using publicly available registration records, DNS resolution data, and regulatory filings. Infrastructure discovered through this method is attributed to the organization at the level of the individual network address identified — not the broader network range in which that address resides. This approach reflects the principle that an organization's DNS records represent deliberate, authoritative decisions to associate specific network endpoints with its public-facing identity.
Where an organization is identified as the registrant of IP address space through authoritative Internet registry records (such as ARIN WHOIS and BGP routing data), all externally observable infrastructure within that registered space is attributed to the organization. This approach reflects the principle that registration of IP address space carries operational accountability for the security posture of that space, including any resources hosted on behalf of third parties or customers.
These two methods are complementary and may both contribute findings to a single assessment. Infrastructure discovered through domain-based attribution is scoped to the specific addresses identified. Infrastructure discovered through registration-based attribution is scoped to the full registered range. SDP does not claim visibility into infrastructure that is neither domain-associated nor registration-attributed to the assessed organization.
SDP collects over 150 signals across six signal categories. Each signal checks a specific, externally observable condition grounded in security practices broadly accepted across the cybersecurity industry.
Examines externally reachable services and network-level configurations. Findings in this category reflect whether services that are generally recommended to be restricted from public internet exposure are, in fact, publicly accessible.
Evaluates the presence and configuration of email authentication standards (such as SPF, DKIM, and DMARC), encryption practices, and the security posture of mail infrastructure as observable from public DNS and mail server responses.
Assesses publicly accessible web properties for use of outdated or end-of-life technologies, missing security headers, unintentional information disclosure, and the presence of software components with known published vulnerabilities.
Reviews the health of TLS/SSL implementations including certificate validity and expiration, cipher suite strength, and proper encryption configuration across publicly facing services.
Identifies externally visible indicators of security program maturity — drawing on published security policies, coordinated vulnerability disclosure programs, regulatory filings, leadership disclosures, and job postings that reflect organizational investment in cybersecurity capabilities.
Evaluates DNS security practices, domain registration protections, and the management of foundational internet infrastructure, as observable through public registration records and DNS responses.
The six signal categories above describe what SDP observes. The four assessment categories below describe how those observations are scored. This structure is applied identically across all assessed companies.
Covers the security of internet-facing services and public-facing web applications — the infrastructure an adversary would probe first.
Evaluates externally visible evidence of security governance maturity and the organization's history of publicly disclosed cybersecurity incidents.
Evaluates externally observable indicators of organizational investment in cybersecurity talent and leadership, drawn from corporate disclosures and published job posting data.
Evaluates geographic dimension of an organization's internet-facing infrastructure, drawing on geolocation data.
The SDP score is a normalized value from 0 to 100 representing the relative strength of a company's externally observable cybersecurity posture, where a higher score reflects a stronger posture. It is designed to be one input among many in a broader risk assessment process.
Scores are most valuable when used comparatively — benchmarking a company against its industry peers, tracking an organization's posture over time, or identifying material differences in security maturity across a portfolio. Whether you are screening sectors, monitoring holdings, evaluating an insurance applicant, or flagging posture changes for further review, the SDP score provides a consistent quantitative baseline where one may not otherwise exist.
External observation, by definition, captures only what is visible from outside an organization. Companies may maintain robust internal security programs, compensating controls, or contextual factors that are not observable from the public internet.
Additionally, because our footprint discovery relies on publicly available records, it is possible in rare cases for an asset to be incorrectly attributed to an organization, or for a legitimate asset to be missed. The depth of assessment may also vary where applicable laws restrict certain types of network observation. We maintain processes to minimize attribution errors and welcome corrections through our profile claim process (see below).
SDP is committed to accuracy and fairness. Any organization that is the subject of an SDP assessment may claim their profile to access the detailed findings underlying their score. This includes the specific assets attributed to the organization and the individual findings identified on each.
Organizations that have claimed their profile may submit corrections or additional context through a structured review process. Common grounds for review include asset misattribution, findings that do not reflect the current observable state of the infrastructure, and supplemental context that may be relevant to interpretation.
All reviews are evaluated based on what is externally observable at the time of re-assessment. SDP aims to acknowledge all review requests within five business days and to resolve them within thirty calendar days.
SDP scores constitute an independent editorial assessment derived exclusively from externally observable, publicly available information. They represent a point-in-time evaluation of an organization's publicly visible cybersecurity posture, generated through a consistent, programmatic methodology applied uniformly across all assessed entities.
SDP scores are not investment advice, insurance underwriting recommendations, security certifications, or ratings issued under any regulatory framework. They are informational in nature and intended to serve as one quantitative data point within a broader analytical framework. Users should integrate SDP data with their own independent due diligence, professional judgment, and additional information sources before making any business, investment, or risk management decisions.
SDP does not assess, and scores do not reflect, the totality of any organization's cybersecurity program, internal controls, policies, or breach likelihood. External observation inherently captures only a subset of an organization's security posture. Many material aspects of cybersecurity — including internal network architecture, employee training effectiveness, incident response capabilities, and compensating controls — are not visible from the public internet and are therefore not reflected in SDP scores.
While SDP endeavors to maintain accuracy and consistency, no warranty is made — express or implied — regarding the completeness, accuracy, timeliness, or fitness for any particular purpose of the scores, findings, or data provided. SDP shall not be liable for any damages, losses, or costs arising from or related to the use of, reliance on, or inability to use SDP scores, data, or related materials. This limitation applies to direct, indirect, incidental, consequential, and punitive damages to the fullest extent permitted by applicable law.
All data collection is conducted through standard internet protocols and publicly available information sources — including regulatory filings, published job listings, and corporate disclosures — in compliance with applicable law. SDP does not perform penetration testing, vulnerability exploitation, or any form of unauthorized access.
Methodology, scoring models, and coverage universe are subject to change. Material methodology changes are versioned and communicated to subscribers prior to taking effect. Historical scores are not retroactively adjusted under new methodology versions.
Security DataPoint posture scores constitute an independent editorial assessment based on externally observable signals. Scores are provided for informational purposes only and do not constitute investment advice, a security certification, or a guarantee of any company's cybersecurity posture. The absence of observed signals does not imply the absence of risk. The presence of observed signals does not imply confirmed compromise. Security DataPoint LLC is not a registered investment adviser, broker-dealer, or Nationally Recognized Statistical Rating Organization (NRSRO).