How the exposure score works
A score you can't explain is a score you can't trust. Here is exactly how Breach Horizon turns public evidence into a 0–100 risk score — higher means more risk, matching the format insurers and assessors use.
Four weighted components
Exposure findings
40%Severity-weighted count of concrete findings: missing DMARC, TLS problems, absent security headers, takeover indicators. A couple of criticals saturate this component — the same way a real assessment treats them.
Identity exposure
25%Breached credentials and infostealer data tied to your domain. Requires verified data partners, so the free scan scores this 0 and clearly labels it as not included — we don't fake signal we don't have.
Attack surface
20%Size of your discoverable footprint: subdomains, resolved hosts, DNS records. More public assets means more places to make a mistake.
Email security
15%SPF, DKIM, DMARC, and DNSSEC gaps — the shortest path from a public record to a spoofed invoice.
Severity weighting
Findings are not counted equally. Each severity contributes points to the exposure component before normalization:
| Severity | Weight | Meaning |
|---|---|---|
| Critical | 40 pts | Directly exploitable now — e.g. subdomain takeover, exposed secrets |
| High | 10 pts | Materially raises breach likelihood — e.g. no DMARC enforcement |
| Medium | 3 pts | Weakens defense in depth — e.g. missing security headers |
| Low | 1 pt | Hygiene items worth cleaning up |
| Info | 0 pts | Context only, no score impact |
What the scan will never do
Every check is passive: standard DNS lookups, HTTPS requests a browser would make, and public third-party data. The scanner never port-scans, never attempts logins, never exploits anything, and never touches systems behind your firewall. That is what makes it safe to run against any domain you own or manage — and it means the scan sees exactly what an outside attacker, insurer, or enterprise reviewer sees.
When a data source is unavailable or a paid feed is not yet integrated, the report says so explicitly instead of inventing signal. Results are cached for 15 minutes; re-scan after you make changes to verify a fix.
Questions about a specific finding or score? Contact us — corrections are welcome and reviewed by a person.
See what attackers see — before they do.
Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.