The Security Rating Charade: Why Your $250,000 Tool Keeps You in the Dark
SecurityScorecard, UpGuard, and Bitsight charge enterprises six figures for letter grades. But CISOs are discovering these ratings don't predict breach costs. Here's what's missing — and the growing movement toward financial-exposure-based risk assessment.
TL;DR: The external attack surface management market hit $1.25B in 2026, led by SecurityScorecard, UpGuard, and Bitsight. Their core product — the A-F security rating — is a boardroom artifact that doesn’t predict financial loss. Meanwhile, 73% of CISOs say they suffered breaches from unknown/unmanaged assets. The gap between what these tools cost and what they actually prevent is widening, and a new approach focused on financial exposure is gaining momentum.
The $1.25B Blind Spot
In 2025, the External Attack Surface Management (EASM) market was worth $1.03 billion. By 2026, it hit $1.25 billion — a 21% CAGR that shows no sign of slowing. By 2034, analysts project $5 billion.
The dominant players are well-known:
| Platform | Pricing Model | Starting Cost | Core Product |
|---|---|---|---|
| SecurityScorecard | Per-entity licensing | ~$50k–$250k+/yr | A-F letter grade |
| UpGuard | Per-entity licensing | ~$30k–$150k+/yr | Numeric security rating (0-950) |
| Bitsight | Enterprise subscription | ~$40k–$200k+/yr | Security rating + forecasting |
| Black Kite | Per-vendor pricing | ~$25k–$100k+/yr | Open FAIR-based scoring |
| RiskRecon (Mastercard) | Enterprise | Custom | Asset-level scoring |
These are not small investments. Yet there’s a growing chorus of CISOs asking the same uncomfortable question:
What does an A rating actually tell me about my financial exposure?
The Three Cracks in the Ratings Industry
1. Scores Don’t Predict Breaches
A 2026 study by the Cyentia Institute found that security ratings correlate only modestly with breach likelihood. Two organizations with identical letter grades can have materially different exposure profiles — one might have an exposed RDP server (immediate ransomware risk), while the other has a missing security header (low-impact configuration issue).
The scoring aggregates are too coarse to drive action.
2. Pricing Excludes the People Who Need It Most
SecurityScorecard serves 70% of the Fortune 100. Bitsight’s enterprise pricing starts well past what most mid-market organizations can justify. Even UpGuard, the most accessible major player, requires a multi-thousand-dollar annual commitment for anything beyond their free tier.
This leaves a massive gap: SMBs and mid-market firms — exactly the companies most likely to suffer catastrophic breaches — cannot afford the tools designed to protect them.
And for insurance brokers who need to assess dozens of clients’ risk profiles simultaneously, the per-entity licensing model is prohibitive.
3. Letter Grades Don’t Speak to CFOs
The fundamental disconnect: security teams buy these tools to report to boards and CFOs, but CFOs cannot act on a B- vs C+ score. What a CFO needs to know is:
“If we’re breached next quarter, what’s the expected financial impact, and which three things should we fix first to reduce it?”
A letter grade answers neither question.
What the Research Actually Shows
The most revealing data point from 2026:
~30% of large businesses can see less than 75% of their own internet-facing assets.
Not defend. See. One in three enterprises has blind spots in their own attack surface. And when 73% of security leaders report incidents caused by unknown or unmanaged assets, it becomes clear: the problem isn’t a lack of rating sophistication. It’s a lack of complete visibility connected to financial consequence.
The shift that’s actually happening in the market:
| Old Approach | New Approach |
|---|---|
| Security rating (0-950, A-F) | Financial exposure estimate (€) |
| Scan quarterly or monthly | Continuous monitoring |
| Aggregate score per entity | Per-asset risk quantification |
| Report for board meetings | Action plan for security teams |
| Enterprise-only pricing | Self-serve, affordable tiers |
| TPRM questionnaire add-ons | Integrated assessment workflows |
The Emerging Alternative: Financial-Exposure-Based Assessment
A new category is emerging: tools that skip the letter grade entirely and go straight to financial impact.
Instead of “Your score is 720/B+”:
“Your domain portfolio has €340,000–€890,000 in probable financial exposure. Here’s the breakdown: exposed RDP on test-server.yourdomain.com (€180k), expired TLS on api.yourdomain.com (€35k), SPF misconfiguration enabling BEC attacks (€220k). Fix all three this week for under €50.”
This approach is gaining traction for three reasons:
1. It’s immediately actionable. Every finding maps to a fix with a cost and timeline. No drill-down required.
2. It speaks the language of business. CFOs, CEOs, and insurance underwriters all understand euros. They don’t understand “your security posture declined 12 points.”
3. It enables self-serve pricing. Financial-exposure-based tools don’t require the sales-engineered enterprise deals that rating platforms depend on. They can offer free tiers for basic scanning, one-off PDF reports for €9, and subscription tiers for continuous monitoring at €199/mo and up.
Brokers Are the Canary in the Coal Mine
Insurance brokers are the most sensitive indicator of this shift. A broker assessing 50 client portfolios for cyber risk cannot pay per-entity enterprise pricing. They need:
- Free basic assessment — run a quick scan on any client domain
- Report output in broker language — what does this mean for coverage placement?
- Batch capability — assess multiple clients without multiple contracts
- Affordable pro tier — €199/mo, not €50k/yr
This is precisely the segment that the incumbent rating platforms underserve. And it’s the segment with the highest willingness to pay for a self-serve tool that actually quantifies risk in financial terms.
Where the Market Is Heading
The $1.25B EASM market will continue growing, but the growth will bifurcate. At the top, enterprise TPRM platforms will consolidate (SecurityScorecard, UpGuard, Bitsight). At the bottom, a new wave of self-serve, financial-exposure-based tools will capture mid-market, SMB, and insurance intermediary segments.
The winners in this emerging tier will share three traits:
- No enterprise sales dependency — self-serve onboarding, no demo required
- Financial-denominated output — euros, not letter grades
- Vertical-specific workflows — built for how insurance brokers, not generalist security teams, actually work
The Bottom Line
Security ratings aren’t going away. They’re deeply entrenched in enterprise TPRM programs and unlikely to be displaced at the Fortune 500 level. But for the 73% of organizations that can’t afford six-figure annual contracts — and for the brokers, underwriters, and risk engineers who need to assess risk in financial terms — a different approach is emerging.
The question isn’t whether your security posture is an A or a B. It’s: how much money would you lose, and what should you fix first?
Resiliently.ai provides domain-exposure assessment and cyber risk quantification for insurance professionals — in euros, not letter grades. Read more: Attackers Don’t Wait 24 Hours: Why Daily ASM Scans Leave You Exposed and Why SMBs Can’t Afford Cyber Risk Quantification (And Why That’s About to Change). Run your first free scan at resiliently.ai/tools/domain-exposure.
Michael Guiao Michael Guiao founded Resiliently AI and writes Resiliently. He has CISM, CCSP, CISA, and DPO certifications — but let them lapse, because in the age of AI, knowledge is cheap. What matters is judgment, and that comes from eight years of hands-on work at Zurich, Sompo, AXA, and PwC.
Get the full picture with premium access
In-depth reports, assessment tools, and weekly risk intelligence for cyber professionals.
Best Value
Professional
€490 /month
Full platform — continuous monitoring, API access, white-label reports
Everything in Starter plus professional tools
Upgrade Now → 30-day money-back
Secure via Stripe
Cancel anytime
Free NIS2 Compliance Checklist
Get the free 15-point PDF checklist + NIS2 compliance tips in your inbox.
Check your inbox! Your checklist download is on its way.
Something went wrong. Please try again.
No spam. Unsubscribe anytime. Privacy Policy
blog.featured
WordPress Plugin Flaw CVE-2023-4213 Exposes 10K+ Sites to Cyber Claims
Cyber Risk ·
6 min read
WordPress Plugin XSS Vulnerability Exposes Cyber Insurance Portfolios to Persistent Web Risks
Cyber Risk ·
5 min read
WordPress Security Plugin Flaw Exposes Organizations to Cyber Claims
Cyber Risk ·
6 min read
WordPress Plugin Flaw Exposes Cyber Insurance Portfolios to SQL Injection Risks
Cyber Risk ·
6 min read
Premium Report
2026 Cyber Risk Landscape Report
24 pages of threat analysis, claims data, and underwriting implications for European cyber insurance.
View Reports →Related posts
Cyber Risk · · 5 min read
Abandoned WordPress Plugin Exposes 12,000+ Sites to Cyber Risk
CVE-2023-5336 in iPanorama 360 plugin creates systemic risk for small businesses. SQL injection vulnerability affects unpatched WordPress sites, highlighting third-party component gaps in cyber insurance coverage.
Cyber Risk · · 5 min read
Acronis CVE-2022-46869: How Consumer Software Creates Enterprise Risk
Local privilege escalation vulnerability in Acronis backup software highlights underwriting risks from consumer-grade tools and patch management gaps.
Cyber Risk · · 5 min read
Acronis Privilege Escalation Flaw Exposes Endpoint Security Gaps
CVE-2023-41743 highlights critical endpoint protection weaknesses that expand attack surfaces and increase cyber insurance risk exposure for organizations.