What to Expect from Bitsight’s 2025 Ratings Algorithm Update

Tags:

2025 Bitsight RAU What to Expect
Ariela Silberstein profile image
Written by Ariela Silberstein
Senior Product Manager
Monica Vale profile image
Written by Mónica Vale
Senior Product Manager

In anticipation of Bitsight’s upcoming 2025 Ratings Algorithm Update (RAU), many organizations are eager to learn more about what to expect from the changes. We are excited to share that the update will be ready for preview on April 8th in the Bitsight applications so that everyone can proactively prepare for the RAU.

Background

Per our communication in February, we’ll be rolling out the RAU in July 2025. These changes will enhance the fidelity of our risk scoring and will also make the resulting security rating process cleaner, clearer, and more transparent than ever. 

We encourage organizations to use the preview dashboard to prepare for these adjustments to the ratings calculation. In this post we’ll provide more background information on the update, why we’ve made changes, and what they will mean for organizations that use the Bitsight Security Rating. 

We’ll also explain how the three-month preview window can help your organization understand the impact of the changes in advance of the go-live date.

Why does Bitsight conduct annual Rating Algorithm Updates (RAUs)?

The Bitsight Security Rating relies on our state-of-the-art risk rating algorithm to turn reliable and verifiable signals across 25 risk vectors into an objective measurement of an organization’s overall risk posture. The algorithm governs the weighting of different signals in determining the overall rating.

The annual RAU adjustment is a part of our ongoing commitment to maintain fair and accurate security ratings. The update process enables us to align our quantitative measurement practices with evolving trends in cyber risk

This annual cadence of RAU updates makes it possible for Bitsight to make important adjustments that ensure the rating has a strong correlation with real-world cybersecurity outcomes while still maintaining stability for users. This deliberate approach to updates mirrors how other ratings industries in areas like credit and insurance keep their ratings relevant to current risk environments while ensuring backward and forward comparability of numbers over time.

What’s changing with the 2025 RAU?

This year’s RAU consists of four major changes.

1. Web Application risk vector: Web Application Security risk vector will now impact ratings, replacing the 5% weight of Web Application Headers in the overall rating.This shift will modernize the algorithm by providing a more comprehensive way to measure how well an organization’s web applications adhere to application security best practices. As a part of the Diligence risk category of the Bitsight security rating, this risk vector looks for findings about web applications in line with the OWASP Top 10. These include using components with known vulnerabilities, broken authentication and access control, sensitive data exposure, absence of cross-site scripting prevention mechanisms, and security misconfigurations.

2. Decreasing the time period on findings with insufficient data or no data: If the only finding for a risk vector expires, Bitsight currently uses that finding for up to 400 days past the finding expiration date. This will decrease to 340 days with RAU25, ensuring that those findings will always be visible to users.  

3. Clarifying the path to perfect on risk vector grades: In an effort to level up the transparency of Bitsight ratings, we’re now providing greater visibility into the number of positive findings associated with establishing a perfect risk vector grade for certain risk vectors. For some risk vectors, Bitsight applies a minor downgrading to companies with low findings counts, whether or not there are negative findings. This is designed to reflect uncertainty in the score due to the low finding count. The amount to be downgraded will be determined based on the finding count as opposed to the current method where it is determined relative to other organizations. This added visibility will help companies understand how to achieve their goal of obtaining perfect ‘A’ grades for the critical Open Ports, TLS/SSL Configurations, and Server Software risk vectors.

4. Ratings drop prevention: This update ensures that ratings drops for certain risk vectors will not occur if there are no negative findings for those vectors. It will also ensure that a rating will remain stable if an organization only has positive finding grades for certain risk vectors.

How to understand RAU25’s impact on your organization’s rating

Starting on April 8th, you can preview your organization’s current rating compared to what it may look like in the future using the new algorithm. This will help your organization begin to understand how these updates will impact your rating and to start planning remediations in advance of the changes, as well as to communicate with your stakeholders about any expected changes. 

The preview dashboard will be updated weekly for the next three months until the 2025 RAU is implemented in July.

Bitsight RAU 2025 preview dashboard snapshot

What’s driving this year’s update?

As with previous RAUs, this latest update is driven by our published principles for fair and accurate security ratings. Transparency, accuracy and validation, and model governance are some of the important principled themes driving the changes in the 2025 RAU.

Specifically with regard to the ratings-impacting changes around web application security, we endeavored to telegraph our intentions by making these findings visible even before they were used as part of the overall ratings calculation. Many companies that depend on Bitsight ratings have been asking for a more comprehensive measure that evolves the value of the Web Application Headers risk vector. Leveraging the  OWASP framework, our Bitsight security researchers helped guide how we collected and measured the data signals that went into the Web Application Security Risk vector. 

“Our approach to web application security metrics involves leveraging the OWASP Top 10 as a foundation for our assessments,” explained Pedro Umbelino, principal research scientist at Bitsight, in a recent deep dive into the newly ratings-impactful risk vector. “These assessments are meticulous, providing detailed forensic data and tailored remediation strategies for identified vulnerabilities.”

At the same time, the other three changes in this RAU were very much brought together under the number one principle of transparency. Our biggest goal of this update was to maximize the visibility and understanding about what it takes to achieve the highest possible Bitsight rating. We believe that Bitsight customers and the broader security community will benefit greatly from these changes and see this as a sign of Bitsight’s commitment to listening to risk leaders’ needs and bringing about actionable cyber risk intelligence in order to successfully measure and manage cyber risk in 2025.

Learn more about the Bitsight Security Rating

If you would like to learn more about how the Bitsight Security Rating works and view examples of its correlation with real-world cybersecurity outcomes, be sure to visit our security ratings overview page.