Sold by: Bitsight
Deployed on AWS
Vendor Insights
Drive accountability and transparency across the organization based on a uniform security performance target. With this governance framework in place, measure the effectiveness of security controls, analyze the attack surface, prioritize findings and track remediation activities. Annual subscription.
4.6
Overview
Bitsight pioneered the security ratings industry in 2011, creating our cybersecurity ratings platform. Today, the Bitsight rating is known around the world as a trusted analytic to help organizations understand and manage cyber risk.
Leveraging the Bitsight Security Rating, the only rating independently correlated to the likelihood of a breach and a company's stock performance, over 2,400 companies build trust in their cybersecurity and third-party risk management program. Bitsight helps organizations drive market decisions, like credit analysis, financial ratings, pricing, ESG frameworks, and Mergers and Acquisitions activity. This gives confidence to vendors and the extended organization, enabling a safe and more secure world by empowering better cyber risk decisions.
Bitsight helps organizations identify, quantify, and reduce cyber risk
Bitsight Security Performance Management (SPM) measures an organization's cybersecurity performance over time. With continuous visibility of the organization's extended digital footprint and a differentiated view of the organizations unique hierarchical structure, SPM facilitates organizational cyber risk oversight. Security leaders and their teams rely on BitSight SPM for:
For custom pricing offers, please contact: bitsightawsmp-customoffer@bitsight.com
Highlights
- 44+ trillion raw events collected & 100 billion new events collected each day
- 40 million rated organizations worldwide with 12+ months of historical data included
- For custom pricing offers, please contact: bitsightawsmp-customoffer@bitsight.com
Details
Sold by
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
Security credentials achieved
(1)
SOC2
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
SPM Enterprise Combined | per license (includes 20 benchmarking subscriptions) | $138,550.00 |
Vendor refund policy
No refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Bitsight
By SecurityScorecard
By Safe Security
Top
50
In Device Security
Top
10
In Procurement & Supply Chain, Legal & Compliance
Top
10
In Centralized Risk Management
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Security Rating Platform
Independently correlated cybersecurity ratings platform that measures organizational security performance and likelihood of breach correlation.
Event Data Collection and Analysis
Processes 44+ trillion raw events with 100 billion new events collected daily for threat intelligence and risk assessment.
Historical Data and Benchmarking
Provides 12+ months of historical security performance data across 40 million rated organizations for trend analysis and comparative assessment.
Attack Surface Analysis
Analyzes and provides visibility of extended digital footprint and organizational hierarchical structure for cyber risk oversight.
Remediation Tracking and Prioritization
Enables prioritization of security findings and tracking of remediation activities with accountability framework across the organization.
Continuous Security Monitoring
Monitors 10 risk factor groups continuously across more than 12 million companies using non-intrusive and proprietary data collection methods combined with trusted commercial and open-source threat feeds.
Quantitative Risk Assessment
Delivers quantitative evaluation of cybersecurity posture with an easy-to-understand A to F rating system for rapid vulnerability identification and remediation.
Third-Party Risk Management
Enables objective 360-degree assessment of vendor cybersecurity risks by combining inside-out questionnaire validation with outside-in security ratings to cut through questionnaire noise.
Automated Questionnaire Validation
Supports sending, completing, and auto-validating questionnaires at scale with automatic insight generation into the validity of responses leveraging security ratings data.
Multi-Use Risk Management Framework
Supports enterprise risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight use cases through a single platform.
Data-Driven Risk Quantification
Utilizes the FAIR™ Model to quantify and measure cyber risk with defensible, trustworthy data that meets regulatory requirements.
Unified Risk Management Platform
Consolidates first-party and third-party cyber risk visibility into a single platform with real-time monitoring and assessment capabilities.
Automated Telemetry Ingestion
Automatically ingests diverse telemetry signals from enterprise-wide controls to dynamically represent business exposure to cyber risks.
Risk Scenario Modeling
Provides a library of built-in cyber risk scenarios and enables creation of custom scenarios to visualize business risk exposure and map against known breaches.
Real-Time Risk Tracking
Delivers real-time, measurable tracking of cyber risk posture over time with continuous updates to industry breach data contextualized against organizational controls.
Validated by AWS Marketplace
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
-
-
-
-
-
No security profile
No security profile
Standard contract
No
No
No
Customer reviews
Aditya Vikram Raj
Monitoring external exposure has improved risk scores and supports stronger cyber insurance outcomes
Reviewed on Apr 04, 2026
Review provided by PeerSpot
What is our primary use case?
I was primarily using Bitsight for attack surface monitoring and external attack surface monitoring use case.
I was monitoring all the alerts and the risk score that Bitsight provides. We mainly focused on improving the risk score for a particular organization for which we were using this in an MSSP setup. We were monitoring different scenarios and different alerts that Bitsight was throwing in, such as open ports cases, missing web application headers, and missing web application security headers. We then communicated this to our customer to get those particular things remediated so the risk score could improve over the portal.
What is most valuable?
The user interface and the area that Bitsight covers for attack surface monitoring use cases are excellent features. Bitsight's coverage ranges from open ports to web application security headers and web application headers, which in my opinion are the best features Bitsight offers. Bitsight also covers multiple other scenarios, including email headers, DMARC, and DKIM. Additionally, Bitsight scans for vulnerabilities across the system.
We were able to remediate a lot of positive alerts and our risk score improved on their platform, which further helped us to drive better results in terms of cyber insurance. Cyber insurance providers look for attack surface monitored scores quite seriously, and if your score is good, you are very well covered from an insurance point of view.
What needs improvement?
There was one case scenario where a lot of parked domains were observed for a particular organization that we were monitoring via Bitsight. Bitsight flagged a missing web application header although no exact web applications or web application had been hosted on that particular domain, and it had been in a parked state. We had a discussion with Bitsight team, and their concern was that although no web application was being hosted on that particular domain, it could still be exploited by threat groups. They provided examples in which those domains had already been leveraged by threat groups to emulate ransomware attacks.
From their point of view, Bitsight continues to flag those particular domains in their platform under the missing web application headers criteria. Since if the number of findings increases for a particular month, your overall risk score decreases, which can become a challenge for a team working on this particular issue. Bitsight could work on this use case scenario where they could either exclude or include findings, or create a separate criteria which would not affect the score. When delivering reports to a CISO, CTO, or CIO level, the score is one of the things that gets focused on first. My suggestion is that Bitsight might consider whether findings from parked domains where no web application is being hosted really need to be included in the mainstream findings. Bitsight could create a separate tab or criteria where they could inform customers about these findings without directly including them in the total number of findings. If the total number of findings increases for a particular month, that will impact the overall score, which becomes a challenge for a team working on this field and they have to explain why the score has dropped and whether remediations were not completed the previous month. This is an area that could be improved.
For how long have I used the solution?
I used this particular platform for more than one year in my last role at PwC.
What do I think about the stability of the solution?
Bitsight is quite stable in my experience without any downtime or reliability issues.
What do I think about the scalability of the solution?
Bitsight handles growth and increased workload well when it comes to scalability.
How are customer service and support?
Customer support seems fine to me, and I have interacted with them.
Which solution did I use previously and why did I switch?
Bitsight was my first external attack surface monitoring tool that I used, as I did not previously use a different solution before Bitsight.
What other advice do I have?
If you are exactly looking for external attack surface monitoring, and you are exploring options, then Bitsight is a very good option that you can explore. I have not worked upon any other solutions, but as far as Bitsight is concerned, it gives flexibility in choosing third-party vendor risk agreements and licenses, or a first-party point of view. You can publish your own score as well in case you have any concerns. That flexibility particularly depends upon the license and agreement that you have, whether you are using it from a first-party perspective or a third-party perspective. Bitsight provides this flexibility. I would rate this review an overall rating of eight.
Information Technology and Services
Good Attack Surface Monitoring and Risk management
Reviewed on Jan 07, 2026
Review provided by G2
What do you like best about the product?
Attack surface monitoring, security ratings and descriptive analysis.
What do you dislike about the product?
Mitigating the risks in time to improve the score.
What problems is the product solving and how is that benefiting you?
It is helping to identify the risks with open ports, risk vendors and thus helps us to mitigate the risks and improve security rating.
Matthew P.
Effortless Cyber Risk Scoring for Proactive Security
Reviewed on Jan 06, 2026
Review provided by G2
What do you like best about the product?
What I like best about BitSight is that it gives companies a simple daily "security score" like a credit score for cyber risk.
It watches your own systems and your vendors from the outside without bothering anyone, spotting problems early.
This makes it super easy to fix the biggest risks first and keep everyone safer. It is easy to use.
It watches your own systems and your vendors from the outside without bothering anyone, spotting problems early.
This makes it super easy to fix the biggest risks first and keep everyone safer. It is easy to use.
What do you dislike about the product?
Bitsight can be laggy sometimes, also the scoring mechanism is not transparent
What problems is the product solving and how is that benefiting you?
I think the biggest problem is security at the company
Computer & Network Security
Enhancing Security Posture Through BitSight’s Detailed Analysis
Reviewed on Dec 16, 2025
Review provided by G2
What do you like best about the product?
What I appreciate most about BitSight is its ability to provide findings across all domains based on WHOIS records. It also delivers detailed insights on web application headers, DMARC, DKIM, SSL configurations, and SSL certificates.
What do you dislike about the product?
Occasionally, BitSight reports incorrect findings for domains that do not have DNS records.
What problems is the product solving and how is that benefiting you?
BitSight addresses numerous domain and IP-based findings, making it highly beneficial for us. By providing detailed insights such as web application headers, DMARC configurations, and more, it simplifies the process of mitigating issues for the identified domains.
Suresh A.
Continuous monitoring has strengthened external security and improved customer trust
Reviewed on Dec 10, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Bitsight is finding vulnerabilities in the wild, especially in internet-facing web applications and networks.
A specific example of how I have used Bitsight is that we do not know the current ongoing issues day-to-day. There are so many vulnerabilities and zero days that are exploitable and outside. With this platform, we are able to detect vulnerabilities quickly and notify the teams using our communication channel. Along with that, it also helps us to remediate quickly because when issues are identified, they should also be included in the remediation part. That is where we were able to sort it out quickly.
Another use case I would add is that Bitsight builds customer trust because it provides a score based on severities or how the system is currently functioning. If our system is secure and we have strengthened the full security, then we will eventually have a good score. That is going to build customer trust.
What is most valuable?
The best features Bitsight offers include heavily using external vulnerability scans or network scans, which we have done for a couple of years.
What I appreciate about the external scans feature in Bitsight is that it gives us continuous visibility into our externally exposed assets, which requires finding misconfigurations or any unexpected exposures much earlier than we would have caught through manual review period scans. This essentially allows my team to find issues quickly, and as we get notified, we can validate our attack surface. It helps us to reduce blind spots. We can prioritize remediation faster and validate changes by deploying fixes. Overall, it strengthens our security posture by monitoring and supporting our compliance programs.
Regarding Bitsight's features, they offer different aspects that I agree with, especially in external scans. They also provide a rating based on your externally facing domains, which helps us to rate our scores and aids in building customer trust. They have the capabilities to assess the attack surface, so those are the main areas they focus on.
Bitsight has positively impacted my organization by improving security and customer trust. It is impact-focused with measurable values that show us, for example, it has reduced our mean time to detect external exposure issues before we relied on periodic scans. Plus, it gives us continuous monitoring. Now we find misconfigurations within hours instead of days or weeks, which directly improves our overall security posture. It reduces risk as we catch high-risk exposures early, especially unexpected cloud assets or testing endpoints that accidentally went public. Each early detection helps us reduce the threat exposure time and strengthen the compliance program.
What needs improvement?
There are areas for improvement; we do notice sometimes finding vulnerabilities which gives us visibility to find them quickly. However, there could be a mechanism they can build on top of that for validation as they identify the issues. What will the real risk be for that identifiable issue? Sometimes it could be open because of the traffic; how they detected it could be seen as vulnerable, but upon testing, it might not be a real issue. It could be a false positive because there could be a honeypot that we built. My thinking is about validation, so if they can build that validation part before they expose the risk to the specific asset, that would help. Additionally, based on their reporting, they could also build risk scores and prioritization, which would also aid us.
I would suggest adding dashboards and custom reporting, which could help us by enabling rich custom reports with filters. That is especially for leadership because they will not look at each technical area, but overall they would be looking at the risk score and what the assets or critical exposure areas are. Customizable reporting based on requirements would be valuable.
I chose 9 out of 10 because the reporting and dashboards would be the first thing I would consider for improvement, and then the second is about the validation part, which could probably improve to 10 out of 10.
I cannot think of too much for additional improvements. Maybe some good automation with the API solutions that could be integrated with the CI/CD pipeline or DevOps tools we are running would also be automated and tested.
For how long have I used the solution?
I have been using Bitsight in my past job as well as in my current job. I would say it is around eight years.
What do I think about the stability of the solution?
Bitsight is stable so far.
What do I think about the scalability of the solution?
The scalability of Bitsight is good; it is a cloud solution, so upon usage, it scales out without being a concern at this moment.
How are customer service and support?
We do interact with Bitsight's support team, and we do get a response back from them as defined in the SLAs.
I would rate the customer support from Bitsight as 10 out of 10.
Which solution did I use previously and why did I switch?
Previously, I used SecurityScorecard , which is a competitor in that space. I think that Scorecard had functional issues, and because of that reason, we switched to Bitsight.
How was the initial setup?
My experience with pricing, setup cost, and licensing for Bitsight is overall good with the current price model.
I feel the current pricing model is fair. The initial setup and licensing process was straightforward. I did not face any challenges in that part.
What was our ROI?
I do not have a good answer regarding return on investment with Bitsight.
Which other solutions did I evaluate?
Before choosing Bitsight, I did not evaluate too many options, but I compared between Bitsight and Scorecard, along with one more tool that I lost the name of, but Bitsight won out of those three.
What other advice do I have?
My advice for others looking into using Bitsight is that it is definitely a great tool, especially to identify blind spots. If your applications are internet-facing and you have customers using your products or your cloud-based solutions, whether SaaS or PaaS, this tool is going to build trust between the customer and the provider. As the tool deploys for your application or domains, it continuously scans and finds vulnerabilities and reports them. As you find and report, it is also going to build your domain score, showing how well you are doing with publicly available applications, especially those that are internet-facing. I gave this review a rating of 9 out of 10.