Cyber Hygiene Score

Cyber hygiene is the set of baseline security practices every internet-facing asset should have in place — correct HTTP security headers, strong TLS configuration, sane DNS records, no exposed sensitive files, and a responsive remediation workflow. FortWatch continuously checks these signals across your assets and rolls them into a single A–F score so you can see whether your overall security posture is improving or regressing at a glance.

The score combines HTTP security header coverage (Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy), TLS/SSL strength and certificate validity, DNS hygiene (SPF, DKIM, DMARC, CAA), sensitive file and directory exposure, open port posture, vulnerability severity distribution, remediation speed against SLA, and scan coverage across your asset inventory.

The underlying checks align with OWASP Secure Headers Project, Mozilla Observatory guidance, CIS Benchmarks for web server configuration, and the relevant controls in SOC 2 (CC6 Logical and Physical Access), ISO 27001 Annex A.8, and PCI DSS 4.0 requirements 2 and 6. The score is a practical rollup of these frameworks rather than a certification of any one of them.

Each header finding comes with a specific remediation: the exact header name, a recommended value tuned to your stack, the server or CDN location to set it in (Nginx, Apache, Cloudflare, Vercel, etc.), and an AI-generated explanation of the risk if it stays missing. For headers like Content-Security-Policy that require careful rollout, FortWatch suggests a report-only policy first and tracks violation reports over time before you enforce.

The score weighs four buckets: vulnerability severity (CVSS-weighted, critical issues dominate), remediation speed (how quickly you close findings relative to SLA), scan coverage (percentage of assets actively scanned on schedule), and configuration hygiene (headers, TLS, DNS, exposures). Each bucket is normalized, combined, and mapped to a letter grade. The algorithm is deterministic — the same inputs always produce the same score.

Yes. The score and its underlying evidence — timestamped header checks, TLS scans, remediation history — are exportable as audit artifacts and map directly to SOC 2 CC7.1 (system monitoring), CC6.6 (network security), and ISO 27001 controls for secure configuration and vulnerability management. Many teams use the score trend as continuous evidence between audits rather than relying on point-in-time snapshots.

Baseline checks run on your scan schedule — typically daily for hygiene signals like headers, TLS, and DNS, and per full scan for deeper vulnerability and exposure checks. Any asset change (new subdomain, new IP, certificate renewal) triggers an immediate re-check so the score reflects your current posture rather than a stale snapshot.

Yes. Marking a finding as fixed triggers a re-check of that specific control, and the score recalculates as soon as the new evidence arrives. You see the impact of each remediation immediately, which makes it easy to prioritize the fixes that will raise your grade the most.