Breach Horizon
Scoring methodology

How the exposure score works

A score you can't explain is a score you can't trust. Here is exactly how Breach Horizon turns public evidence into a 0–100 risk score — higher means more risk, matching the format insurers and assessors use.

Four weighted components

Exposure findings

40%

Severity-weighted count of concrete findings: missing DMARC, TLS problems, absent security headers, takeover indicators. A couple of criticals saturate this component — the same way a real assessment treats them.

Identity exposure

25%

Breached credentials and infostealer data tied to your domain. Requires verified data partners, so the free scan scores this 0 and clearly labels it as not included — we don't fake signal we don't have.

Attack surface

20%

Size of your discoverable footprint: subdomains, resolved hosts, DNS records. More public assets means more places to make a mistake.

Email security

15%

SPF, DKIM, DMARC, and DNSSEC gaps — the shortest path from a public record to a spoofed invoice.

Severity weighting

Findings are not counted equally. Each severity contributes points to the exposure component before normalization:

SeverityWeightMeaning
Critical40 ptsDirectly exploitable now — e.g. subdomain takeover, exposed secrets
High10 ptsMaterially raises breach likelihood — e.g. no DMARC enforcement
Medium3 ptsWeakens defense in depth — e.g. missing security headers
Low1 ptHygiene items worth cleaning up
Info0 ptsContext only, no score impact

What the scan will never do

Every check is passive: standard DNS lookups, HTTPS requests a browser would make, and public third-party data. The scanner never port-scans, never attempts logins, never exploits anything, and never touches systems behind your firewall. That is what makes it safe to run against any domain you own or manage — and it means the scan sees exactly what an outside attacker, insurer, or enterprise reviewer sees.

When a data source is unavailable or a paid feed is not yet integrated, the report says so explicitly instead of inventing signal. Results are cached for 15 minutes; re-scan after you make changes to verify a fix.

Questions about a specific finding or score? Contact us — corrections are welcome and reviewed by a person.

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.