Skip to main content

Panorays Cyber Posture Rating & Methodology

Updated over a week ago

The Panorays Cyber Posture Rating is an absolute 0–100 score that reflects the security posture of a company’s public-facing digital footprint.

Panorays customers use this rating—alongside other inputs such as security questionnaires, business context, and risk indicators—to evaluate and manage the cyber risk of their third parties.

The rating provides an objective, continuously updated view of a company’s external attack surface and highlights security gaps that may require remediation.

Non-Intrusive External Assessment

Panorays performs a non-intrusive, external cyber posture assessment, allowing continuous monitoring without requiring consent from the assessed company.

Assessment data is collected from:

  • Public sources (e.g., asset reputation and threat intelligence feeds)

  • Light probes (similar to search engine indexing bots)

Panorays is a 100% SaaS-based platform and does not access internal company resources.

While no active exploitation is performed, some public intelligence sources (e.g., botnet activity feeds) may provide indirect insights into internal security issues—without being intrusive.

Panorays does not conduct penetration testing, brute-force attacks, or exploit execution.

🔍What Panorays Evaluates

Using 100+ automated cyber criteriasecurity tests, Panorays analyzes a company’s discovered external assets, including (but not limited to):

  • Web servers

  • Mail servers

  • DNS

  • Cloud services

  • Endpoints

  • Employee exposure

The platform identifies exposed assets, misconfigurations, outdated technologies, and missing security best practices. Findings often include specific vulnerability context, such as:

  • Technology versions

  • CVE correlations

  • Bug bounty disclosures

Assessment Layers

CriteriaTests are grouped into three top-level assessment layers, providing a comprehensive view of a company’s external cyber posture.

✅ Network & IT

Evaluates infrastructure, exposed services, and operational security practices.

Includes:

  • Web, email, and DNS servers

  • Endpoints and externally exposed assets

  • TLS protocols and certificate trust

  • Asset reputation

  • Cloud services and exposed systems

Example findings:

  • Expired or untrusted TLS certificates

  • Missing Web Application Firewall (WAF) on critical assets

✅ Application

Assesses externally facing applications, domains, and technologies.

Includes:

  • Web applications and APIs

  • CMS platforms (e.g., WordPress)

  • Domain vulnerabilities and attack exposure

  • Unpatched servers or applications

Example findings:

  • Exposure of WordPress user data

  • Outdated or vulnerable application versions

✅ Human

Analyzes the human attack surface and organizational security maturity.

Includes:

  • Employee exposure and likelihood of social engineering

  • Public social media posture

  • Presence (or absence) of a dedicated security team

  • Security awareness indicators

Example findings:

  • Compromised employee credentials

  • Lack of security awareness or governance

  • No dedicated security function

📋Rating Methodology

Test-Based Scoring

Each assessment consists of 100+ Criteria run against discovered assets (servers, IP ranges, domains, employees, etc.).

Each Criterion produces:

  • Findings (security gaps)

  • An individual 0–100 Criterion rating

A weighted average of all Criteria ratings generates the final Cyber Posture Rating.

Example Tests:

  • Do mail servers have an SPF record?

  • Do web servers support deprecated SSL/TLS protocols?

  • Are assets associated with malicious activity?

CriterionProperties

Each Criterion includes:

  • What is tested

  • What was found

  • Explanation and remediation guidance

  • Severity (Info / Low / Medium / High / Critical)

  • Weight (impact on the rating)

❗“Info” Criteria do not affect the rating.

❗“Critical” Criteria may have an additional impact on the overall risk.

CriteriaRating Calculation

Each Criterion is scored independently:

  • 100 – No findings detected

  • 0 – All assets failed

  • 1–99 – Partial findings

  • N/A – Criterion is not applicable

Rating logic varies by Criterion and may include:

  • Simple ratios

  • Statistical normalization

  • Company size and industry benchmarks

Criteria Weights

Criteria weights are determined using objective data, including:

  • Benchmarking against trusted companies (e.g., Google, Amazon, Microsoft)

  • Industry-wide rating distributions

  • Analysis of breached companies to identify predictive indicators

Criteria Development & Tuning

Criteria are based on:

  • Industry standards (e.g., OWASP, NIST)

  • Proprietary research and threat intelligence

New Criteria are initially deployed in hidden mode to collect large-scale data. Severity and weight are then tuned based on real-world adoption, effectiveness, and validation against trusted and breached companies.

📌 Why the Panorays Cyber Posture Rating Matters

The Panorays Cyber Posture Rating delivers:

  • Accuracy – Data-driven scoring validated against trusted and breached organizations

  • Transparency – Full visibility into Criteria, findings, and discovered assets

  • Consistency – The same methodology applied to all companies

  • Stability – A durable indicator of overall cyber posture, not isolated issues

Together, this enables organizations to objectively assess, compare, and manage third-party cyber risk at scale.

Related Articles
Tracking Cyber Posture Rating History
Asset Discovery & External Attack Surface Mapping
Risk Rating Model Explained
Supplier Page Content
My Security Profile
Did this answer your question?