What Is a CyberScore — and What Does 36.47 Actually Mean for Your Business?

Product Action Guide

May 2026  ·  8 min read

A single number that tells you where you stand. Not what your IT provider thinks. Not what you hope. What an objective, three-component assessment of your actual security posture says — based on what attackers can see from outside, what your policies look like from inside, and how your business profile affects your real-world risk.

---

Every post in this series has described a piece of the cybersecurity problem — credential exposure, MFA bypass, attacker timelines, breach costs, human error, clean scan results. This post describes the tool that puts all of those pieces together into a single number and tells you exactly where to start fixing them.

The Veriti Spottr CyberScore is a 0–100 score that reflects your organization's overall cybersecurity health. Not a guess. Not a checklist with boxes ticked. A weighted assessment drawn from three distinct data sources — each measuring something the others can't — combined into a single number that tells you both how exposed you are and what to do about it.

Here's what that number actually means, where it comes from, and why a score of 36.47 tells a completely different story than a score of 83.

36.47

Example CyberScore — Needs Improvement

This business has critical and high vulnerabilities on public-facing systems that haven't been addressed, sits in a high-risk industry, and has mitigated only a fraction of known findings. Despite strong survey responses showing good internal practices, the unaddressed technical exposure dominates the score. A business that knows what good security looks like — but hasn't closed the gaps yet.

0–59 Needs Work

60–79 Good

80–100 Excellent

The CyberScore is built on NIST CSF 2.0 — the framework that by 2026 is referenced directly in most cyber insurance applications, vendor security questionnaires, and state procurement checklists. A CyberScore isn't just a health indicator for your business. It's the structured, documented evidence that insurers, enterprise clients, and regulators are increasingly asking for by name.

The three components — and why each one matters

Most security assessments measure one thing — either what's technically visible from outside your network, or what you say you have in place internally. The problem with measuring only one is that each misses what the other catches. A business with clean external scan results might have no incident response plan and no employee training. A business with excellent policies might have critical vulnerabilities on a public-facing server. The CyberScore measures both — and weights them honestly.

60% Weight

Exposure — What attackers can actually see

Up to 60 pts

The Exposure component carries the most weight because it provides objective, technical evidence of actual vulnerabilities visible from the public internet. This is what an automated scanner would find when it hits your domain. Veriti Spottr runs this assessment continuously against your external attack surface — open ports, credential exposure, email authentication records, publicly accessible admin panels, and known vulnerabilities on internet-facing services.

Every finding is categorized by severity — Critical, High, Medium, and Low. Critical and High findings carry the most weight, reflecting the urgency of the real-world risk they represent. The score improves as you mitigate findings through the Action Center. Each addressed finding moves your score in real time.

Why 60% weight? Exposure findings are objective and external — not what you say you have, but what attackers actually see when they scan your domain. A critical vulnerability on a public-facing server represents the same risk regardless of what any policy document says. This is where most breaches start and where the highest-leverage improvements happen.

25% Weight

Security Posture — What your policies actually look like

Up to 25 pts

The Security Posture component measures what external scanning can't see — your governance, training, policies, and human factors. It's captured through a NIST CSF 2.0 survey that SMB owners complete online through Spottr using multiple choice answers. No technical knowledge required. Honest answers in about 15 minutes.

The survey covers ten security domains drawn directly from NIST CSF 2.0 — the same framework most cyber insurance carriers now reference when assessing policy eligibility. Each domain is weighted by its real-world security impact. Your responses are scored and combined into a Security Posture component that reflects your internal controls as they actually exist — not as they're documented in a policy nobody reads.

Access Control Asset Management Awareness & Training Business Continuity Compliance & Audit Data Security Governance & Risk Incident Response Physical Security Security Monitoring

The mismatch this reveals In the 36.47 example, the Security Posture survey scored 93 out of 100 — strong internal practices, good policies. But the overall CyberScore is still 36.47 because unaddressed technical exposure is pulling it down. The CyberScore surfaces exactly this mismatch. Knowing the gap is the first step to closing it.

15% Weight

Business Profile — Your real-world risk context

Up to 15 pts

The Business Profile component makes the CyberScore specific to your business rather than generic. The same technical vulnerability means different things to a healthcare practice handling patient records and a landscaping company with no regulated data. The Business Profile captures that context — your industry, company size, security staffing, data types handled, and other risk factors — and adjusts the score accordingly.

Industry matters. Company size matters. Whether you have dedicated security staff matters. Whether you handle regulated data matters. A financial services firm operating in a high-risk sector faces a materially different threat landscape than a nonprofit — and the CyberScore reflects that difference rather than treating all businesses as equivalent.

Why this makes the score more useful A generic vulnerability scan gives you the same results regardless of who you are. The Business Profile component means your CyberScore is calibrated to your actual risk context — the same way a cyber insurer assesses risk differently for a healthcare provider than a retail shop, even if their technical posture is identical.

The example score — 36.47 — illustrates something important: a business can have excellent internal practices (93/100 on the Security Posture survey) and still have a failing overall CyberScore because of unaddressed technical exposure. The inverse is also true: clean scan results paired with no incident response plan and no employee training will also pull the score down. Both dimensions matter. The CyberScore measures both.

Why the weighting matters — the 60/25/15 split

Why Exposure gets 60%

Objective, technical, external. Not what you say you have — what attackers actually see. A critical vulnerability on a public-facing server is the same risk regardless of what policies say. This is where most breaches start and where score improvement is most immediate and actionable.

Why Security Posture gets 25%

Governance, training, and human factors significantly impact security but are harder to measure objectively. A business with no incident response plan and no employee training is materially more at risk — even if their scan results look identical to one that has both.

Why Business Profile gets 15%

Context matters — but it's not the primary driver of risk. Industry, size, and staffing shape how a given vulnerability translates to real-world impact. The profile adjusts the score without overriding the technical reality that Exposure captures.

Why the score updates in real time

As you mitigate findings in the Action Center, your CyberScore updates immediately. You can see exactly which actions move the score most — prioritizing the highest-impact work rather than guessing. That's the difference between a number and a plan.

What your score means — and what to do with it

0–59 Needs Improvement Significant gaps in technical exposure, security posture, or both. Prioritize critical and high findings in the Action Center immediately. Review survey domains with the lowest scores for quick policy wins.

60–79 Good Security Strong baseline with specific addressable gaps. Most businesses here have good policies but remaining technical findings pulling the score below excellent. Address medium findings and complete incomplete survey domains.

80–100 Excellent Security Clean external posture, strong internal practices, appropriate risk context. Satisfies most cyber insurance requirements and passes vendor security assessments.

The CyberScore and your cyber insurance

By 2026, most cyber insurance carriers reference NIST CSF functions directly in their applications — and premium discounts are available for organizations that can demonstrate CSF alignment. The CyberScore is built on NIST CSF 2.0 across all three components. The Business Profile captures your industry risk and compliance obligations. The Security Posture survey maps directly to the ten NIST CSF domains insurers care about most. The Exposure component documents your external attack surface in the objective, technical language underwriters require.

This means a Spottr CyberScore report isn't just a health indicator for your business. It's documentation — the kind that can support an insurance application, satisfy a vendor security questionnaire, or demonstrate due diligence in a regulatory context. The 73% of SMBs that currently fail cyber insurance assessments aren't all failing because their security is bad. Many are failing because they can't demonstrate what they have in place. The CyberScore gives them that documentation.

The businesses that move from 36 to 80 on the CyberScore don't do it by buying new tools. They do it by mitigating the critical and high findings the scan surfaces, completing the NIST survey domains they skipped, and filling gaps in their business profile. Every point on the CyberScore is a specific, actionable item in the Action Center. That's the difference between a number and a plan.

Getting your CyberScore

The Veriti Spottr beta is free. Getting your CyberScore takes three steps:

• Step 1 — Business profile: Enter your company information — industry, size, security staffing, data types handled. About five minutes. Sets the risk context for your score.
• Step 2 — NIST CSF survey: Complete the Security Posture survey across ten domains. Multiple choice answers, no technical background required. About 15 minutes. Covers the governance, training, and policy dimensions that scanning can't see.
• Step 3 — External scan: Spottr runs an automated scan of your external attack surface. Findings appear in the Action Center with priority rankings and remediation guidance.

The three inputs combine into your CyberScore. The Action Center tells you which findings to address first — ranked by their impact on your score and your actual risk. As you mitigate findings, your score updates in real time.

That's what 36.47 means. And that's how it becomes something better.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

Get your free CyberScore in three steps. No technical knowledge required. Beta access is free.

Get your CyberScore →

VS

Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com