1. Executive Summary
The Custom Company Scoring module enables underwriters to create companies that do not yet exist in Rankiteo's database and immediately receive a computed cybersecurity score. This is accomplished through a structured 8-step questionnaire that captures the company's security posture across multiple domains.
The resulting score (0–1000) uses the same band system (Aaa through C) as Rankiteo's automated scoring, enabling seamless integration into existing pricing workflows, portfolio analytics, and loss exceedance models.
Key capabilities:
- Create companies with full security profiles from questionnaire responses
- Compute deterministic scores based on a transparent, auditable algorithm
- Auto-integrate custom companies into user portfolios
- Map supply chain dependencies automatically
- Generate scores compatible with premium estimation and loss modeling
The Rankiteo AI Cyber Underwriter Platform is the most advanced cyber underwriting platform on the market, combining real-time threat intelligence, proprietary scoring algorithms, and actuarial-grade analytics into a single integrated solution.
2. Questionnaire Structure
The custom company creation wizard consists of 8 sequential steps, each targeting a specific domain of cybersecurity risk:
| Step | Name | Description | Key Inputs |
|---|
| 1 | Company Profile | Basic company information and demographics | Name, domain, industry (NAICS), employee count, revenue |
| 2 | Infrastructure | Technology stack and hosting environment | Cloud providers, on-premise servers, network architecture |
| 3 | Security Controls | Technical security measures in place | MFA, EDR, encryption, backups, patching, vulnerability scanning |
| 4 | Compliance | Regulatory compliance status | Certifications held (ISO 27001, SOC2 Type I/II) |
| 5 | Frameworks | Security framework adoption | NIST CSF, CIS Controls, COBIT, etc. with implementation level |
| 6 | Data Handling | Sensitive data practices | Data types stored, encryption at rest/in transit, retention policies |
| 7 | Supply Chain | Third-party dependencies | Cloud providers, critical vendors, SaaS dependencies |
| 8 | Incidents | Historical incident data | Past incidents (last 3 years), types, security training status |
3. Security Score Algorithm
The scoring algorithm starts from a base score of 500 and applies additive and subtractive adjustments based on questionnaire responses. The final score is clamped to the range 0–1000.
score = 500 // Base score
// Apply all adjustments from questionnaire responses
score += sum(adjustments)
// Clamp to valid range
final_score = max(0, min(1000, score))
3.1 Multi-Factor Authentication (MFA)
| MFA Coverage | Adjustment |
|---|
| All users | +100 |
| Remote / admin users only | +50 |
| No MFA | -100 |
3.2 Endpoint Detection & Response (EDR)
| EDR Status | Adjustment |
|---|
| EDR deployed | +80 |
| No EDR | 0 |
3.3 Encryption
| Encryption Type | Adjustment |
|---|
| Encryption at rest | +30 |
| Encryption in transit | +30 |
3.4 Backup Strategy
| Backup Configuration | Adjustment |
|---|
| Daily or hourly backups | +30 |
| Weekly backups | +15 |
| Immutable backups | +20 |
| Offline / air-gapped backups | +10 |
| No backups | -80 |
3.5 Patch Management
| Patch Cadence | Adjustment |
|---|
| Critical patches within 7 days | +30 |
| Critical patches within 14 days | +20 |
| Critical patches within 30 days | +10 |
3.6 Vulnerability Scanning
| Scanning Frequency | Adjustment |
|---|
| Continuous / weekly / monthly | +40 |
| Quarterly | +20 |
3.7 Penetration Testing
| Pentest Frequency | Adjustment |
|---|
| Annual or semi-annual | +30 |
3.8 Network Security
| Control | Adjustment |
|---|
| Email security (SPF/DKIM/DMARC) | +20 |
| Web Application Firewall (WAF) | +20 |
| IDS / IPS | +15 |
3.9 Incident Response
| IR Capability | Adjustment |
|---|
| Documented IR plan | +20 |
| IR plan tested (tabletop / simulation) | +10 |
3.10 Certifications
| Certification | Adjustment |
|---|
| ISO 27001 | +15 |
| SOC2 Type II | +15 |
| SOC2 Type I | +15 |
3.11 Security Frameworks
| Implementation Level | Adjustment (per framework) |
|---|
| Fully implemented | +10 |
| Partially implemented | +5 |
3.12 Historical Incidents
| Rule | Adjustment |
|---|
| Each incident (last 3 years) | -50 |
| Maximum penalty cap | -200 |
| Incidents older than 3 years | Not counted |
3.13 Security Training
| Training Type | Adjustment |
|---|
| Security awareness training | +15 |
| Phishing simulation program | +10 |
3.14 Complete Scoring Formula
final_score = max(0, min(1000,
500 // Base
+ mfa_adjustment // -100 to +100
+ edr_adjustment // 0 or +80
+ encryption_at_rest // 0 or +30
+ encryption_in_transit // 0 or +30
+ backup_frequency // -80 to +30
+ backup_immutable // 0 or +20
+ backup_offline // 0 or +10
+ patch_cadence // 0 to +30
+ vuln_scanning // 0 to +40
+ pentest // 0 or +30
+ email_security // 0 or +20
+ waf // 0 or +20
+ ids_ips // 0 or +15
+ ir_plan // 0 or +20
+ ir_tested // 0 or +10
+ sum(certifications) // 0 to +45
+ sum(frameworks) // 0 to +10 each
+ incident_penalty // -200 to 0
+ security_training // 0 or +15
+ phishing_simulation // 0 or +10
))
// Theoretical range:
// Minimum: max(0, 500 - 100 - 80 - 200) = 120 (worst case)
// Maximum: min(1000, 500 + 100 + 80 + 60 + 30 + 20 + 10
// + 30 + 40 + 30 + 55 + 30 + 20 + 10 + 45 + ...) = 1000
4. Score Band Assignment
After computing the final score, it is mapped to a letter-grade band consistent with Rankiteo's standard rating scale:
| Band | Score Range | Risk Interpretation | Typical Premium Impact |
|---|
| Aaa | 900 – 1000 | Exceptional security posture | Maximum discount |
| Aa | 850 – 899 | Very strong security | Significant discount |
| A | 800 – 849 | Strong security | Moderate discount |
| Baa | 750 – 799 | Adequate security | Base rate |
| Ba | 700 – 749 | Below average security | Slight surcharge |
| B | 650 – 699 | Weak security | Moderate surcharge |
| Caa | 600 – 649 | Very weak security | Significant surcharge |
| Ca | 550 – 599 | Highly vulnerable | May require exclusions |
| C | 0 – 549 | Critical deficiencies | Decline or restrict coverage |
5. Data Storage
Custom company data is persisted across multiple Rankiteo platform components to integrate seamlessly with the existing data architecture:
| Data Source | Purpose | Key Information |
|---|
| Custom company repository | Master record for custom companies | Company identifier, name, domain, questionnaire responses, created by |
| Company intelligence database | Company profile (same format as auto-scanned companies) | Company identifier, industry, employees, revenue, domain |
| Company security scoring engine | Computed cybersecurity score | Company identifier, score, band, computed at, source: "questionnaire" |
| Portfolio management system | Portfolio membership (auto-added) | User identifier, company identifiers |
| Cyber incident intelligence feed | Incident records (if user reports historical incidents) | Company identifier, type, date, source: "questionnaire" |
| Supply chain dependency graph | Supply chain dependency mappings | Company identifier, provider identifier, provider type |
6. Supply Chain Integration
When a user selects cloud providers in Step 7 (Supply Chain) of the questionnaire, the system automatically maps them to known Rankiteo-tracked entities. This enables supply chain risk propagation and concentration analysis.
6.1 Cloud Provider Auto-Mapping
| User Selection | Mapped Entity ID | Rankiteo Entity |
|---|
| AWS | amazon-web-services | Amazon Web Services, Inc. |
| Azure | microsoft | Microsoft Corporation |
| GCP | google | Google LLC |
| Oracle Cloud | oracle | Oracle Corporation |
| IBM Cloud | ibm | IBM Corporation |
These mappings are stored in the the supply chain dependency graph and are used by downstream analytics (e.g., loss exceedance modeling) to assess correlated risk from shared infrastructure providers.
7. Portfolio Integration
Upon successful creation, the custom company is automatically added to the creating user's active portfolio. This ensures immediate availability in:
- Premium Estimation — the computed score feeds directly into the pricing engine
- Loss Exceedance Modeling — the company is included in Monte Carlo simulations
- Claims Correlation — any reported incidents are factored into portfolio-level analysis
- Portfolio Dashboard — the company appears alongside auto-scanned companies with a "Custom" badge
// Portfolio auto-addition on company creation
// When a custom company is created, the system automatically
// adds the new company identifier to the creating user's
// active portfolio, ensuring immediate availability across
// all portfolio analytics modules.
8. Glossary
| Term | Definition |
|---|
| Base Score | The starting score of 500 before any adjustments are applied from questionnaire responses. |
| MFA | Multi-Factor Authentication — requires two or more verification methods to access systems. |
| EDR | Endpoint Detection and Response — security solution that monitors endpoints for threats. |
| WAF | Web Application Firewall — filters and monitors HTTP traffic to web applications. |
| IDS/IPS | Intrusion Detection/Prevention System — monitors network traffic for malicious activity. |
| SOC2 | Service Organization Control 2 — a compliance framework for managing customer data based on trust service criteria. |
| ISO 27001 | International standard for information security management systems (ISMS). |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework. |
| Score Band | A letter-grade rating (Aaa through C) derived from the numeric 0–1000 score. |
| Supply Chain Mapping | The process of linking a company to its known technology providers for risk propagation analysis. |
| Custom Company | A company created manually via the questionnaire rather than discovered through automated scanning. |