Somerford Associates Limited

SecurityScorecard - Security Risk Ratings Platform

SecurityScorecard is the most comprehensive security risk ratings platform, providing the security posture of 1m+ enterprises worldwide. It continuously monitors the cybersecurity health of organisations by identifying public facing vulnerabilities that create a security risk. Use cases include self monitoring, peer benchmarking, third party risk management and cyber insurance .


  • Instantly identifies vulnerabilities, active exploits and advanced threats
  • Protects your business and strengthens your security posture
  • Gives insight into what a hacker sees
  • View the security posture of your vendors and partners
  • Provides and maintains compliance with regulations and standards
  • Insight into Cyberhealth of potential mergers or acquisitions
  • Streamline cybersecurity compliance and due diligence using Atlas
  • Machine learning enables validation of vendor responses in near real-time
  • Peer Benchmarking


  • Simple and easy to use interface
  • Monitor all your partners and/or vendors from a single platform
  • Aids collaboration with vendors to improve their security posture
  • Streamline and improve your vendor risk management programme
  • Largest database of scored companies provides detailed risk analytics
  • Passive, non intrusive and continuous security assessment
  • Reduce cyber insurance premiums


£500 to £2000 per licence per year

Service documents

G-Cloud 11


Somerford Associates Limited

Penny Harrison

+44 1793 698 047

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to SecurityScorecard have developed a Splunk App which will allow you to extend your existing Splunk service.
Cloud deployment model Public cloud
Service constraints None
System requirements None, solution is cloud hosted by SecurityScorecard

User support

User support
Email or online ticketing support Email or online ticketing
Support response times SecurityScorecard provide support 8am-5pm EST Monday-Friday excluding US Federal Holidays.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.

If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further.

Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.

Somerford resolve 80% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners.

Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.

All our customers have a Technical Account Manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started You can request a free assessment of your own company.
Once you have purchased relevant licences SecurityScorecard can be accessed via the browser by logging on with your personal credentials. Online Training can be provided.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction No proprietary information is stored. Users can extract Summary, Issues and Detailed reports on the companies they are monitoring
End-of-contract process At the end of the contract access to the platform will cease.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
What users can and can't do using the API SecurityScorecard collect terabytes of data on 1m+ of entities worldwide. Their forward-based threat intelligence capabilities are powered by a proprietary sensor network that spans the globe.

Their data science and machine learning capabilities transform that telemetry into intelligence that can be used to identify risks and prevent exploits. Through API Connectors, they make this data consumable by technology companies, insurers, rating agencies, security teams, and more.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment No
Customisation available No


Independence of resources SecurityScorecard are continually monitoring and enhancing their platform to provide the highest levels of service to their customers


Service usage metrics No


Supplier type Reseller providing extra support
Organisation whose services are being resold SecurityScorecard

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported as .csv or .pdf
Data export formats
  • CSV
  • Other
Other data export formats Pdf
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Service Provider’s goal is to achieve 99.9% Availability of the Services for its customers. If uptime for the Services is less than 98.0% for a given month of the Term, then Service Provider shall issue Customer a service credit (“Service Credit”) in accordance with the schedule below, with the credit being calculated based on the fees for month of the affected Services. “Availability” is defined as the 24/7 access to the web interface to the SecurityScorecard SaaS platform being accessible and users can log-in to the system. Availability excludes issues due to internet and/or connectivity.
Approach to resilience Resilience has been built into the design of SecurityScorecard's cloud based offering with failover and dynamic resource allocation available and utilised
Outage reporting SecurityScorecard may perform any standard maintenance, upgrades, replacement of hardware or software or any other like activity that may result in unavailability (collectively, “Scheduled Maintenance”). SecurityScorecard shall notify Customer in advance of any anticipated Scheduled Maintenance, and provide the date, time and expected duration. Such notice will be provided by email or web notification. Scheduled Maintenance shall not be included in the Uptime Commitment calculation.
SecurityScorecard may also perform any maintenance reasonably necessary to fix critical Service functionality, security or other vulnerabilities or material defects that may substantially impair the usability or performance of the Services, to the extent such maintenance cannot reasonable be performed during the Scheduled Maintenance window (“Emergency Maintenance”). SecurityScorecard shall notify Customer at least 24 hours’ notice (or at least as much notice as is reasonably possible, where 24 hours is not commercially reasonable) of any Emergency Maintenance, including its date, time and expected duration. Such notice will be provided by email or web notification.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Other
Other user authentication SAML
Access restrictions in management interfaces and support channels Users are assigned access levels within SecurityScorecard. A user can either be Read Only, User or Admin
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication SAML

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • C2M2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ISO 27001 certification

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach SecurityScorecard adhere to industry good practise in terms of configuration and change management processes.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach SecurityScorecard not only provide security posture monitoring of thousands of companies worldwide but also use their own technology to monitor their own security posture.
Regular internal vulnerability scanning is run and endpoint protection deployed
Protective monitoring type Undisclosed
Protective monitoring approach An automated or manually reported alert is sent. Once the incident has been acknowledged the first responder is responsible to triage the issue.
For product related issues, there is a reference chart of team owners.
For infrastructure related issues the incident will be escalated to either Infrastructure Services Team or the Site Reliability Engineering Team
For security related incidents a conference bridge is opened and all members of the SecOps team attend.
The IRT engineer continues to provide the high level updates to stakeholders.
Once the incident is closed, the various parties work together to author the post mortem document.
Incident management type Undisclosed
Incident management approach Industry standard incident management processes are in place

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £500 to £2000 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Instant SecurityScorecard provides a free limited summary view into the security posture of your organisation that can be accessed every 30 days.
Link to free trial

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑