SecurityScorecard Reviews

We were asked by a customer to respond to issues raised on the platform regarding our security score. 

We are using the free offering at the moment. For something that was not part of our selection, I would like to have more features available. In that context, a paid subscription is way out of line for an organization of our size.

As the approach is widely automated information gathering, there is a wide gap from free to paid which makes it hard for smaller organizations to get better security awareness. There is always the notion that a breach is expensive, however, that does not mean vendors can collect anything they like in terms of pricing. It has to be reasonable. 

With SecurityScorecard we gained more insight into our security footprint. The platform does very little to help with issues. Maybe that is for paid subscribers. Every so often, issues are re-surfacing and you have to re-explain everything. 

Don't get me wrong. Although it is not very nice to have security issues (or symptoms of such) thrown at you, it is nicer than some ransom demand.

With its automated approach, nothing is missed on the IPs your organization is related to. Still, it is extra work.

You can have notifications for changes in your score. It really helps to not have to come back every now and then to look score changes up.

I also like the report options in place. They could be made more configurable but there will always be disagreement on reporting options.

You can also invite team members to help with solving problems. 

It's good for a security solution. You can protect your logins with MFA. It is not as good as Azure MFA (no push option), however, still an improvement over the plain user/password combo.

There could be more information in regards to solving problems like hints on what specifically to look for.

There should be the option to split responsibility for certain areas. This would be mandatory if we want to invite external consultants to look at things together. 

As mentioned above, the pricing for a paid subscription is too high for "just" a monitoring platform. 

They don't fix your issues. Instead, you have to come up with a good explanation of why things are the way they are. Small teams might not have the patience to re-submit closure of issues due to the fact that the explanation for the issue is not accepted.

We have been working with the service for about three months now.

We had no issues with stability so far. There is no high volume traffic goong on when using it.

It's a web-based service. Scalability should be no issue.

It's not the most responsive technical support so far. Most issues are not fixed in an hour. Users shouldn't expect confirmation to be there at that time. If you expect 1-3 days you are well-positioned with a no-fee service.

Positive

We did not previously use a different solution.

The initials setup is easy. You just log in with your work email. That's it.

I suspect that no one was tasked with security to onboard here. 

There is no ROI for a free tier. We would need to provide an explanation about paid subscriptions for just a security ticket system in the cloud.

They already have set up for most organizations with their security footprint gathered from whois, DNS, and other sources. Therefore, no setup cost would be reasonable. The pricing could be split into a lower paid tier for smaller organizations and another higher tier for others with a more security-focused outlook. $1000 per month is more than some companies pay for their internet connections in total.

The free tier is perhaps tied to larger organizations inviting smaller ones to get them onboarded.

We were forced (or rather, invited) to use that solution by a customer.

Don't expect answers for closing issues right away. There are still people involved who re-check the issues for proper fixes and if your explanation for "that's no issue" is acceptable.