Understanding BitSight Scoring: Methodology, Weights, and What Really Matters

Security teams increasingly rely on BitSight scores for vendor assessments, board reporting, and insurance underwriting. But few understand the methodology behind the numbers. This guide breaks down exactly how BitSight scoring works.

The Scoring Model

BitSight uses a proprietary algorithm that processes externally observable security data to produce a score between 250 and 900. The model is designed to correlate with breach probability — organisations with lower scores are statistically more likely to experience a security incident.

The score is recalculated continuously as new data comes in, though different risk vectors are scanned at different frequencies. Critical vectors like compromised systems are monitored in near-real-time, while configuration-based vectors are assessed weekly or monthly.

Risk Vector Categories

BitSight evaluates approximately 23 risk vectors, grouped into four categories. Not all vectors carry equal weight — some can move your score by 100+ points, while others have minimal impact.

1. Compromised Systems (Highest Weight)

This category has the single largest impact on your score. It includes:

• Botnet infections — Machines on your network communicating with known command-and-control servers
• Malware servers — Hosts serving or distributing malware
• Spam propagation — Corporate IPs appearing on spam blacklists
• Potentially exploited — Systems showing signs of active compromise
• Unsolicited communications — Unusual outbound traffic patterns

A single botnet infection can drop your score by 30-50 points. Multiple infections in the same period can cause a 100+ point decline.

2. Security Diligence (Medium-High Weight)

These are the proactive security measures BitSight can observe externally:

• SPF — Sender Policy Framework records for email authentication
• DKIM — DomainKeys Identified Mail signing
• DMARC — Domain-based Message Authentication enforcement level
• TLS/SSL certificates — Validity, chain integrity, protocol versions
• Open ports — Services exposed to the internet
• Web application headers — Security headers like HSTS, CSP, X-Frame-Options
• Patching cadence — Speed of applying updates to public-facing infrastructure
• DNSSEC — DNS Security Extensions implementation
• Mobile application security — Security of published mobile apps

3. User Behaviour (Medium Weight)

Indicators of risky behaviour originating from your network:

• Peer-to-peer file sharing — BitTorrent and similar protocols on corporate networks
• Tor exit node traffic — Connections routing through the Tor network

4. Public Disclosures (Variable Weight)

Publicly known incidents tied to your organisation:

• Data breaches — Reported breaches with time decay (recent = heavier impact)
• Credential leaks — Employee credentials appearing in breach databases

How Weighting Works

BitSight doesn’t publish exact weights, but through analysis and their documentation, the approximate impact hierarchy is:

1. Compromised systems — ~35-40% of score impact
2. Email authentication (SPF/DKIM/DMARC) — ~15-20%
3. TLS/SSL configuration — ~10-15%
4. Open ports — ~8-12%
5. Patching cadence — ~8-10%
6. User behaviour — ~5-8%
7. Other vectors — ~5-10%

The key insight: eliminating compromised systems and implementing proper email authentication will address over 50% of your score. Everything else is incremental improvement.

Data Sources

BitSight collects data from multiple sources to build its assessments:

• Network sensors — Global sensor network monitoring internet traffic patterns
• Sinkhole infrastructure — Controlled domains that capture botnet traffic
• DNS enumeration — Mapping an organisation’s complete digital footprint
• SSL/TLS scanning — Active probing of web services
• Darknet monitoring — Credential leaks and breach data
• Public records — Breach disclosures, regulatory filings
• IP attribution — Mapping IP ranges to organisations (including subsidiaries)

Score Calculation Timing

Different vectors refresh at different intervals:

• Near real-time: Compromised systems, malware activity
• Daily: Spam blacklists, DNS records
• Weekly: TLS configuration, open port scans
• Monthly: Patching cadence analysis
• Event-driven: Public breach disclosures

After making improvements, expect 2-4 weeks for the full score impact to materialise. Some vectors like DMARC changes can reflect within days.

Practical Scoring Tips

Based on working with organisations to improve their scores, here are the most effective strategies:

1. Map your attack surface first — Ensure BitSight has the correct IP ranges and domains attributed to your organisation. Incorrect attribution can drag your score down unfairly.
2. Prioritise compromised system remediation — Set up alerts for any new infections and target same-day or next-day remediation.
3. Get DMARC to enforcement — This is often the quickest high-impact win. Many organisations have SPF but DMARC is still at p=none.
4. Audit your external perimeter monthly — Use your own scanning tools alongside BitSight to catch open ports and misconfigured services.
5. Monitor subsidiary scores — BitSight attributes subsidiary infrastructure to the parent company. A subsidiary with poor security can drag down the overall group score.