Comprehensive Cyber Risk Scorecard

Comprehensive Cyber Risk Security Scorecard

Actionable, complete and comprehensive risk assessment for your company or 3rd party vendors.

The comprehensive cyber risk scorecard enables not only to measure the risk level of a company but also it analysis and prioritizes the data to generate an actionable report. The prioritized action list, compliance control and technical details of each finding make security engineers’ lives easier. You can quickly and deeply do your third party risk assessment. Know not only your riskiest assets but also risky vendors. View a sample report.

  • Non-intrusive scan of your web & dark web presence
  • Detailed findings based on cyber threat intelligence about you
  • Hacker reconnaissance! First step of the cyber kill chain
  • Fully automated. All findings are validated & prioritized
  • Self risk assessment or 3rd party risk management

NormShield Risk Categories

The comprehensive cyber risk scorecard (CSRS) enables not only to measure the risk level of your company but also it analyzes and prioritizes the data to generate the actionable, letter-grade and color-coded report. The prioritized action list, compliance control and highly technical details of each finding make security engineers’ lives easier. You can quickly and deeply do your self-assesment or third party risk assessment. NormShield Cyber Risk Scorecard evaluates a company in many different categories. Each category provides specific information about an aspect of a firm’s cyber security posture.

  • Patch Management

    We collect details related to the version number of your systems and software from internet-wide scanners like Censys, Shodan, Zoomeye etc. These version numbers are converted into the corresponding common platform enumeration number (CPE-ID) and are correlated with NIST NVD and MITRE CVSS databases to detect and approximate any unmitigated known vulnerabilities.

  • DNS Health

    We generate DNS health report from 40+ control items which are collected from online services like IntoDNS, Robtex, Netcraft and HackerTarget. Since DNS queries are recursive, it is almost impossible to detect a hacker footprints from the DNS servers.

  • SSL/TLS Strength

    SSL/TLS configurations and vulnerabilities are provided by several 3rd party online services. The results come from various online SSL grading service like Qualys SSL Labs scanner, HTBridge, Mozilla Website Observatory etc.

  • IP/Domain Reputation

    Asset reputation score is based on the number of IPs or domains are blacklisted or they are used for sophisticated APT attacks. The reputation feeds are collected from VirusTotal, Cymon, Firehol, BlackList DNS servers, etc.

  • Hacktivist Shares

    Hackers publicize their targets in underground forums or darkweb. NormShield collects information from hundreds of dark forums, criminal sites and hacktivist sites and filters the results for the corresponding company.

  • Fraudulent Applications

    Fraudulent or pirate mobile / desktop applications are used to hack / phish employee or customer data. Possible fraudulent or pirate mobile/desktop apps on Google Play, App Store and pirate app stores are provided.

  • Information Disclosure

    Company employees may disclose Local IPs, email addresses, version numbers, whois privacy records or even misconfigure a service in a way that it may expose sensitive information to the internet.

  • Brand Monitoring

    Brand monitoring is a business analytics process concerned with monitoring various channels on the web or media in order to gain insight about the company, brand, and anything explicitly connected to the cyber space.

  • DDoS Resiliency

    This section shows the result of 15 different potential DDoS checks and detects any potential DDoS amplification endpoints. The data is collected from non-intrusive scanners and internet-wide scanners.

  • CDN Security

    A content delivery network (CDN) is a large distributed system of servers deployed in multiple data centers across the Internet. Companies use CDN for online libraries like JQuery. This section analyzes the CDN content to detect possible vulnerabilities

  • Application Security

    We collect the contents web applications from various internet-wide scanners and analyze them for application level weaknesses i.e. Cross Site Request Forgery, Cross Content Mixing, Plain Text Transmission of Sensitive Information etc. The results are correlated with MITRE CWE database to detect the severity level of each findings.

  • Email Security

    We collect vulnerabilities related to potential email servers and SMTP misconfigurations like open relay, unauthenticated logins, restricted relay, SMTP ‘Verify’ vulnerabilities from the online services like MxToolbox and eMailSecurityGrader.

  • Leaked Credentials

    There are more than 5 billion hacked email / password available on the internet and underground forums. This section shows the leaked or hacked emails & passwords.

  • Social Network

    Hackers publicize their targets or even victims on social network sites to motivate other hackers to attack the same target. The results are filtered from billions of social media content.

  • Fraudulent Domains

    Fraudulent Domains and subdomains are extracted from the domain registration database. The registered domains database holds more than 300M records.

  • Digital Footprint

    Digital Footprint is determined by open ports, services and application banners. This information is gathered from NormShield crawlers, Censys, VirusTotal, Robtext, Alexa, Shodan etc.

  • Attack Surface

    Attack surface is the technical analysis of open critical ports, out-of-date services, application weaknesses, SSL/TLS strength and any misconfigurations. This information is gathered from Censys & Shodan database and service / application versions are correlated with Passive Vulnerability Scan results.

  • Network Security

    This sections analyzes the network level problems and detects any critical ports, unprotected network devices, misconfigured firewalls and service endpoints.

  • Web Raking

    Cisco, Alexa and Majestic track web sites and rank them according to popularity, back-links, references, etc. This subcategory shows Alexa and Majestic trends, Google Page insight speed test results as well as Web Content Accessibility Guidelines (WCAG) 2.0 parsing compliance findings.

  • Website Security

    This is a special analysis of the company’s main website. We collect findings related to your SSL/TLS Strength, Patch Management, Application Security, Web Ranking and Brand Monitoring.

The Methodology

Cyber Threat Susceptibility Assessment (CTSA) is a methodology for evaluating the susceptibility of a system to cyber-attack developed by MITRE. CTSA quantitatively assesses a system's [in]ability to resist cyber-attack over a range of cataloged attack Tactics, Techniques, and Procedures (TTPs). CTSA consists of the following steps:


Product Methodology

To generate the scorecard, NormShield needs only the company domain. The engine collects the related information from VirusTotal, Passive DNs servers, web search engines and other Internet wide scanners as well as NormShield's proprietary databases which holds more than 10 billion historic items. The engine searches the database in order to find all IP address ranges and domain names that belong to the company. NormShield uses what is called Open Source Intelligence (OSINT) that is shown below to gather information. The following map shows how hackers can leverage their attack vectors by using OSINT resources like hacker forums, social networks, Google, leaked database dumps, paste sites or even legitimate security services like VirusTotal, Censys, Cymon, Shodan or Google Safe Browsing.



This data is compiled by NormShield into a simple, readable report with letter-grade scores to help identify and mitigate potential security risks. It identifies the risks (CVE / CWE), the risk score of the corresponding vulnerabilities / weaknesses (CVSS / CWSS), attack patterns (CAPEC / FIPS-199 impact level). NormShield also classifies the finding into FISMA Cyber Security Framework Area and Maturity Level, NIST 800-53 Control Family, FIPS-200 Area, NIST 800-37 Process Step. NormShield does all of this without scanning or modifying any of the organization’s business assets.