Security Ratings Are a Dangerous Fantasy

Inaccurate Results, Lousy Data, No Predictive Power, False Confidence, False Security. How Did We Get Here, and How Can We Do Better?

In this white paper, we explore why security ratings do not predict breaches, do not help people make valuable business decisions, and do not make anyone safer. This piece explores the limitations of risk scores, including:

        • High rate of false positives/misattribution: Such as when an IP range or domain name is assigned to an entity but has not been used by them in years.
        • Incomplete data: Poor visibility into cloud environments, where dynamic hosting makes assets difficult to find, and multi-tenancy makes assets hard to attribute.
        • Low data refresh rates: By the time you read them, security ratings are already out of date.


And looks at potential paths forward other than risk scores to help organizations improve their cybersecurity posture and drive meaningful operational outcomes.


In alignment with General Data Regulation (GDPR) guidelines we are asking for your permission to stay in touch.  Please opt-in to ensure you can have access to the latest Palo Alto news, activities and insights.