Security Ratings Solutions: the 2024 Comparison | Thomas Murray Skip to main content

Our Clients

Orbit Security vs Bitsight vs SecurityScorecard

 

Capabilities

Headquarters

Founded / Product Launched

Security rating scale

Orbit Security

Capabilities

  • Security Ratings
  • Third Party Risk Management
  • Cyber Advisory
  • Incident Response
  • Cyber Threat Simulation
  • eDiscovery

Headquarters

London

Founded / Product Launched

1994 / 2021

Security rating scale

0-1000 for overall, domain and sub-domain level ratings

BitSight

Capabilities

  • Security Ratings 
  • Third Party Risk Management

Headquarters

Boston

Founded / Product Launched

2011 / 2013

Security rating scale

0-950 for overall rating

SecurityScorecard

Capabilities

  • Security Ratings
  • Third Party Risk Management
  • Incident Response
  • Cyber Threat Simulation

Headquarters

New York

Founded / Product Launched

2013 / 2014

Security rating scale

A-F for overall rating, with A-F and 0-100 scale for individual risks

Orbit Security vs Bitsight vs SecurityScorecard product overview

In 2022, we commissioned independent market research from market intelligence firm M-Brain to find out what CISOs and other practitioners think is most important in a security ratings solution. The following comparison is based on CISOs’ own priorities:

These four features regularly ranked as the most important to CISOs looking for a security ratings platform:

 

Feature
Platform’s dashboarding features

The highest priority for CISOs, CIOs, Heads of IT Security and other decision makers was the platform’s ability to provide simplified dashboards and reports that can be presented to a board. 

Timely and accurate information

CISOs want a solution that sends timely alerts about new issues and high-risk third parties. Above all, they need accurate information that they can rely on. 

Benchmarking ability: Comparison with peers

Users need to be able to compare their organisations’ security posture to industry peers and competitors.

Pricing and inclusiveness of features

CISOs want providers to provide transparent pricing with all features included and no arbitrary limitations on number of users and customer support hours. 

Rating of highest-priority features

Orbit Security

Platform’s dashboarding features

start

  • Clear dashboarding and off-the-shelf executive reporting.
  • “The security rating has become a key, objective KPI for our management team” (CISO, ATHEX)

 

Timely and accurate information

star

  • Machine learning tool for network footprint discovery, designed to eliminate false positives. 
  • Weekly security ratings with ability to request rescan.
  • Real-time alerts by email and in-platform.

Benchmarking ability: Comparison with peers

star

  • Comprehensive benchmarking vs industry peers, as well as against global benchmark
  • Users can compare vs competitors and peers.  

Pricing and inclusiveness of features

star

  • Customers report that prices are typically up to 50% cheaper than competitors. Pricing starts at $15,000 for self-assessment plus all subsidiaries.
  • We never limit features based on pricing. All features are developed in-house by experts. 

Rating of highest-priority features

4.25/5

BitSight

Platform’s dashboarding features

star

  • Innovated security ratings concept in the early 2010s; feature-rich platform.
  • “Tends to have complex user interface” compared to other providers (M-Brain)

Timely and accurate information

star

  • Security ratings updated daily, but “the platform’s ability to eliminate false positives is very low” (M-Brain)
  • Notifications can be sent through email, platform and API. 

Benchmarking ability: Comparison with peers

star

  • Ability to compare with the industry average as well as the sub-category. 
  • Users can compare ratings to five to seven competitors at a time. 

Pricing and inclusiveness of features

star

  • Pricing is reported to start at US$30,000 for self-assessment plus two subsidiaries. 
  • “BitSight does not provide enough in-house services. Most of them are offered via integration with third parties.” (M-Brain)

*Reported pricing as of February 2022

Rating of highest-priority features

3.25/5

SecurityScorecard

Platform’s dashboarding features

star

  • "Provides simplified dashboarding and reporting features that can be presented to board level management compared to BitSight” (Retail Bank in the US).
  • Clear dashboarding and reporting.

Timely and accurate information

star

  • Scorecards recalculated daily. 
  • Some users report lack of transparency about hosts to which issues are attributed in reports. 
  • Notifications can be sent through email, platform and API. 

Benchmarking ability: Comparison with peers

star

  • Users can compare scores with the industry average, and up to seven competitors at a time. 
  • Option to create a portfolio to benchmark against competitors. 

Pricing and inclusiveness of features

star

  • Pricing is reported to start at US$22,000 for self-assessment plus all subsidiaries, and additional vendors cost $1,500-$2,000 per vendor per year. 
  • A free version of the platform is available for vendors to check their score and upload public comments.

*Reported pricing as of February 2022

Rating of highest-priority features

3.75/5

Conclusion: for the highest-priority features and capabilities, Orbit Security ranks consistently highly. Since our journey to build the world’s most comprehensive and accurate cyber security ratings platform began in 2019, we have focused on developing critical features with clarity, purpose and actionability.
These features were also considered priorities, depending on the specific use case or attitude of the CISO.

 

Feature
Questionnaires and third-party access

CISOs want the ability to issue IT security questionnaires in-platform, and to provide third parties with access to their own security ratings and assessments.

Data transparency

CISOs want to demonstrate to other stakeholders how the data is collected and how ratings are calculated.

Remediation features

Intuitive workflow for remediation action plans and co-working. 

Customer support

End-to-end customer support.

Scalability and speed

Speed at which ratings can be provided, and scalability of solution. 

Rating of medium-priority features

Orbit Security

Questionnaires and third-party access

star

  • Users can issue questionnaires using the Orbit Diligence module.
  • The platform is free to third parties for 30 days. 
  • Third parties have access to expert remediation support. 

Data transparency

star

  • Issues aggregated by ‘Risk’ and by ‘Domain’. 
  • All issues are attributed to a specific host.
  • CTI sources transparently labelled. 
  • Every issue ranked as high, medium, low or informational. 
  • Charts show which issues are having the highest impact on the overall rating. 

Remediation features

star

  • Issues can be flagged for remediation, allocated to team members and given a deadline. 
  • Managers can track and report on remediations. 

Customer support

star

  • Dedicated account manager and regular customer success meetings. 
  • Technical support SLA is usually 12 hours. 
  • Full suite of advisory, testing and incident response services.

Scalability and speed

star

  • Clients can access Orbit Security’s existing ratings immediately. 
  • New ratings can be produced in days.  
  • Highly scalable solution in terms of price and usability. 

Rating of medium-priority features

4.8/5

BitSight

Questionnaires and third-party access

star

  • BitSight offers standard frameworks for questionnaires, as well as integrations. 
  • A third party can upload a public, as well as a private, comment. 
  • The platform is free to third parties for 45 days

Data transparency

star

  • Issues are analysed by risk category and are attributed to a specific ‘Identifier’. 
  • Risk grading is good, neutral, warning and bad, with minor, moderate, material and severe severity. 
  • Issues are attributed ‘first seen’ and ‘last seen’ time stamps. 

Remediation features

star

  • During major security events, critical vulnerabilities will be highlighted. 
  • Remediations can be flagged, tracked and reported on. 

Customer support

star

  • Dedicated account manager.
  • Technical support SLA is 24 hours (M-Brain). 
  • No in-house advisory or incident response team for expert escalation. 

Scalability and speed

star

  • Clients can access BitSight’s existing ratings immediately. 
  • New ratings can be generated in days. 
  • Pricing makes scalability challenging for many companies.

Rating of medium-priority features

4.4/5

SecurityScorecard

Questionnaires and third-party access

star

  • Users can issue questionnaires using the ATLAS module. 
  • Third parties receive notification and can create an account for answering. 
  • Platform allows users to invite third parties to view their own assessments. 

Data transparency

star

  • Issues are analysed by risk category, but vendor reports do not include domain attribution.
  • Risk grading is high, medium and low severity, ‘positive signals’ and informational. 

Remediation features

star

  • Users can create a score plan for themselves or third parties.
  • Issues are marked as open, under review, resolved, declined or decayed. 

Customer support

star

  • Overall customer support is reported to be good.  
  • Customer query response time is 48 hours SLA (M-Brain). 
  • Incident Response, Testing and Red Team services

Scalability and speed

star

  • Organisations already scored by SecurityScorecard can receive immediate ratings. 
  • New scores can be generated in hours. 
  • Pricing makes scalability challenging for many companies. 

Rating of medium-priority features

4.4/5

Conclusion: For medium-priority features and capabilities, Orbit Security again ranks highly. In particular, our clients value our outstanding customer support and data transparency. 
These features and criteria were rarely top priorities, but users often appreciated them.

 

Feature
Clients feed into product roadmap

CISOs value the ability to:

  • Customer requirements fed into product roadmap.
  • White-labelling capabilities.
  • Local hosting where regulations and/or risk frameworks demand. 
Financial quantification

CISOs want to be able to quantify the potential financial impact of cyber risk on an organisation or its third parties. 

Tracking over time

Ability to track issues and overall scores over time

Critical vs non-critical third parties

CISOs would like to prioritise certain ‘critical’ service providers and clients over other third parties.

Integrations

Integrations with other platforms. 

Orbit Security

Clients feed into product roadmap

  • Expert customer feedback fed into product development. 
  • White-labelling option available – a high priority for many government clients. 
  • Local hosting not supported

Financial quantification

  • Orbit Security does not offer financial quantification.*

Tracking over time

  • Overall scores and individual hosts tracked over time. 
  • All historical assessments available to users. 
  • Trend analysis highlights issues causing significant score drops. 

Critical vs non-critical third parties

  • Does not distinguish between critical and non-critical third parties; full analysis is provided for every third party. 

Integrations

  • Integrations can be supported on request.

BitSight

Clients feed into product roadmap

  • Not known whether client feedback is taken into account for overall product roadmap. 
  • It is reported that BitSight cannot be white labelled or hosted locally. 

Financial quantification

  • BitSight provides financial quantification of cyber risk with the help of VisibleRisk and via its partnership with Moody’s. 

Tracking over time

  • BitSight provides one year of historical scores by default. 
  • Overall scores can be tracked over time. 

Critical vs non-critical third parties

  • BitSight distinguishes between critical and non-critical vendors, providing fuller assessments of critical suppliers (though at a higher reported price). 

Integrations

  • Integration can be supported, and partners include Archer GRC, OneTrust, ServiceNow, ProcessUnity and Prevalent.

SecurityScorecard

Clients feed into product roadmap

  • Not known whether client feedback is taken into account for the overall product roadmap.
  • It is reported that SecurityScorecard cannot be white labelled or hosted locally.  

Financial quantification

  • SecurityScorecard does not offer financial quantification. 

Tracking over time

  • Overall scores can be tracked over time.
  • Trend analysis shows which issues have effective scores where significant drops occur. 

Critical vs non-critical third parties

  • SecurityScorecard gives access to third-party ‘slots’ that can be swapped and changed from the initial list. 

Integrations

  • Integration can be supported, and partners include Archer GRC, ServiceNow, OneTrust, Jira and others. 

Overall verdict

Thomas Murray was founded in 1994 and built its reputation as a risk intelligence firm by providing data, risk analysis, advisory and technology services to some of the world’s biggest banks and institutional investors. Our goal is to create the world’s leading cyber security ratings platform for every sector, building on our deep analytical and technical expertise.

*A note on Financial Quantification: As a result of our deep expertise analysing financial counterparties, we understand that to quantify the potential financial impact of an organisation’s external security posture requires deeper analysis and more context than can be observed through an external analysis. We therefore do not offer financial quantification.

Speak with our experts

Speak with  
an Expert

Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

 
Roland Thomas

Roland Thomas

Associate Director | Cyber Risk