SecurityScorecard is a comprehensive cyber security risk ratings platform that continuously monitors the cyber security health of organizations to inform on cyber security risk management. SecurityScorecard identifies public-facing vulnerabilities that create a security risk.
Why Integrating SecurityScorecard into the Vulcan platform?
The SecurityScorecard Connector by Vulcan integrates with the SecurityScorecard platform to pull and ingest SecurityScorecard website-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
SecurityScorecard Connector details
The SecurityScorecard connector maps domains to websites.
Note: The vendor also displays positive findings (AKA "Positive Signals"), which are not fetched into the Vulcan Platform.
Ingested asset type(s)
Websites - DAST
UNI directional (data is transferred from SecurityScorecard to the Vulcan Platform in one direction)
Supported version and type
Prerequisites and user permissions
Before you begin configuring the connector, make sure you have the following:
SecurityScorecard API Token
To access the API key, the SecurityScorecard account should be set as a business or enterprise account.
Generating SecurityScorecard API Token:
Generating a token for the Security Scorecard API is very straightforward: there is only one type of user and no permissions hierarchy.
Go to your SecurityScorecard platform.
Go to your Account > My Settings
Go to API
Click on "Generate New API Token" and then on Confirm.
Copy-paste the generated API to someplace safe.
Configuring the SecurityScorecard Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the SecurityScorecard icon.
Set up the connector as follows:
The SecurityScorecard platform displays informational findings in addition to critical, high, and low-severity findings. If relevant, check the "Pull Informational findings" check box to pull informational findings.
SecurityScorecard has custom scorecards. If relevant, check the "Ingest Custom Scorecards data" checkbox to pull custom scorecards data. Otherwise, only the main scorecards are pulled.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your SecurityScorecard instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the SecurityScorecard icon shows Connected, the connection is complete.
SecurityScorecard in the Vulcan Platform
Locating SecurityScorecard vulnerabilities in the Vulcan Platform
As SecurityScorecard discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate SecurityScorecard on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.
Locating SecurityScorecard Website assets in the Vulcan Platform
To locate all retrieved Website assets from SecurityScorecard:
Open the Vulcan Cyber dashboard and navigate to Assets.
Click on the Websites tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the SecurityScorecard option to view all synced assets.
Automating actions on vulnerabilities detected by SecurityScorecard
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the SecurityScorecard Connector.
Click here to learn how to create automation in the Vulcan Cyber Platform.
From SecurityScorecard to the Vulcan Platform
The Vulcan Platform integrates with SecurityScorecard through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Asset Uniqueness criteria*
First field that has a value:
Vulcan last seen time
Vulnerability uniqueness criteria*
Asset-Vulnerability connection uniqueness criteria
Status changes (including resurfacing)
Info tool tip (from Assets screen)
Solution uniqueness criteria
“Fix for” vulnerability title
* Uniqueness criteria is a set of criteria that their combination determines the uniqueness of a vulnerability or an asset. The set includes:
asset - company_domain
vuln - issue_type / issue_key
solution - issue_type / issue_key
vuln_asset_connection - issue_id
solution_vuln_connection - issue_type / issue_key
Vulnerability status mapping
Vulnerability no longer appears on SecurityScorecard
Ignored - False Positive
Ignored - Risk Acknowledged
Vulnerability score mapping
Positive Findings (Positive Signals)
Positive findings/signals are not fetched into the Vulcan Platform.
Status update mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).
The table below lists how the status update mechanism works in the SecurityScorecard connector for the vulnerabilities and assets in the Vulcan Platform.
An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform.
Change of vulnerability instances status from "Vulnerable" to "Fixed"
- When the vulnerability status on the vendor changes to "Technical Remediation"
- When the vulnerability no longer appears in the scan findings
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync time (the next day).
API Endpoints in use
Use in Vulcan
How do I validate the data between SecurityScorecard and the Vulcan Platform?
When validating the data between the SecurityScorecard platform and the Vulcan Platform, the number of unique vulnerabilities fetched into the Vulcan Platform should match the total number of the SecurityScorecard findings under HIGH, MEDIUM, LOW, and INFORMATIONAL (if configured to be fetched in the connector settings). Keep in mind that Vulcan doesn't fetch "Positive Signals" findings.