Somerford Associates Limited

SecurityScorecard - Cybersecurity Risk Ratings Platform

SecurityScorecard is a comprehensive cyber security risk ratings platform that continuously monitors the cyber security health of organisations to inform cyber security risk management.

SecurityScorecard identifies public facing vulnerabilities that create a security risk. Use cases include self monitoring, peer bench-marking, third party risk management and cyber insurance.


  • Instantly identifies vulnerabilities, active exploits and advanced threats
  • Protects your business and strengthens your security posture
  • Gives insight into what a hacker sees
  • View the security posture of your vendors and partners
  • Provides and maintains compliance with regulations and standards
  • Insight into Cyberhealth of potential mergers or acquisitions
  • Streamline cybersecurity compliance and due diligence using Atlas
  • Machine learning enables validation of vendor responses in near real-time
  • Peer Benchmarking


  • Simple and easy to use interface
  • Monitor all your partners and/or vendors from a single platform
  • Aids collaboration with vendors to improve their security posture
  • Streamline and improve your vendor risk management programme
  • Largest database of scored companies provides detailed risk analytics
  • Passive, non intrusive and continuous security assessment
  • Reduce cyber insurance premiums


£500 to £2,000 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

6 4 5 0 7 7 3 4 4 1 9 6 4 3 8


Somerford Associates Limited Penny Harrison
Telephone: +44 1242 388168

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
SecurityScorecard have developed a Splunk App which will allow you to extend your existing Splunk service.
Cloud deployment model
Public cloud
Service constraints
System requirements
None, solution is cloud hosted by SecurityScorecard

User support

Email or online ticketing support
Email or online ticketing
Support response times
SecurityScorecard provide support 8am-5pm EST Monday-Friday excluding US Federal Holidays.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.

If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further.

Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.

Somerford resolve 90% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners.

Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.

All our customers have a Technical Account Manager.
Support available to third parties

Onboarding and offboarding

Getting started
You can request a free assessment of your own company.
Once you have purchased relevant licences SecurityScorecard can be accessed via the browser by logging on with your personal credentials. Online Training can be provided.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
No proprietary information is stored. Users can extract Summary, Issues and Detailed reports on the companies they are monitoring
End-of-contract process
At the end of the contract access to the platform will cease.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
SecurityScorecard collect terabytes of data on 1m+ of entities worldwide. Their forward-based threat intelligence capabilities are powered by a proprietary sensor network that spans the globe.

Their data science and machine learning capabilities transform that telemetry into intelligence that can be used to identify risks and prevent exploits. Through API Connectors, they make this data consumable by technology companies, insurers, rating agencies, security teams, and more.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Customisation available


Independence of resources
SecurityScorecard are continually monitoring and enhancing their platform to provide the highest levels of service to their customers


Service usage metrics


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Data can be exported as .csv or .pdf
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Service Provider’s goal is to achieve 99.9% Availability of the Services for its customers. If uptime for the Services is less than 98.0% for a given month of the Term, then Service Provider shall issue Customer a service credit (“Service Credit”) in accordance with the schedule below, with the credit being calculated based on the fees for month of the affected Services. “Availability” is defined as the 24/7 access to the web interface to the SecurityScorecard SaaS platform being accessible and users can log-in to the system. Availability excludes issues due to internet and/or connectivity.
Approach to resilience
Resilience has been built into the design of SecurityScorecard's cloud based offering with failover and dynamic resource allocation available and utilised
Outage reporting
SecurityScorecard may perform any standard maintenance, upgrades, replacement of hardware or software or any other like activity that may result in unavailability (collectively, “Scheduled Maintenance”). SecurityScorecard shall notify Customer in advance of any anticipated Scheduled Maintenance, and provide the date, time and expected duration. Such notice will be provided by email or web notification. Scheduled Maintenance shall not be included in the Uptime Commitment calculation.
SecurityScorecard may also perform any maintenance reasonably necessary to fix critical Service functionality, security or other vulnerabilities or material defects that may substantially impair the usability or performance of the Services, to the extent such maintenance cannot reasonable be performed during the Scheduled Maintenance window (“Emergency Maintenance”). SecurityScorecard shall notify Customer at least 24 hours’ notice (or at least as much notice as is reasonably possible, where 24 hours is not commercially reasonable) of any Emergency Maintenance, including its date, time and expected duration. Such notice will be provided by email or web notification.

Identity and authentication

User authentication needed
User authentication
Other user authentication
Access restrictions in management interfaces and support channels
Users are assigned access levels within SecurityScorecard. A user can either be Read Only, User or Admin
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • C2M2

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
ISO 27001 certification

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
SecurityScorecard adhere to industry good practise in terms of configuration and change management processes.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
SecurityScorecard not only provide security posture monitoring of thousands of companies worldwide but also use their own technology to monitor their own security posture.
Regular internal vulnerability scanning is run and endpoint protection deployed
Protective monitoring type
Protective monitoring approach
An automated or manually reported alert is sent. Once the incident has been acknowledged the first responder is responsible to triage the issue.
For product related issues, there is a reference chart of team owners.
For infrastructure related issues the incident will be escalated to either Infrastructure Services Team or the Site Reliability Engineering Team
For security related incidents a conference bridge is opened and all members of the SecOps team attend.
The IRT engineer continues to provide the high level updates to stakeholders.
Once the incident is closed, the various parties work together to author the post mortem document.
Incident management type
Incident management approach
Industry standard incident management processes are in place

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£500 to £2,000 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
Instant SecurityScorecard provides a free limited summary view into the security posture of your organisation that can be accessed every 30 days.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.