Sold by: Bitsight
Deployed on AWS
Vendor Insights
Drive accountability and transparency across the organization based on a uniform security performance target. With this governance framework in place, measure the effectiveness of security controls, analyze the attack surface, prioritize findings and track remediation activities. Annual subscription.
4.5
Overview
Bitsight pioneered the security ratings industry in 2011, creating our cybersecurity ratings platform. Today, the Bitsight rating is known around the world as a trusted analytic to help organizations understand and manage cyber risk.
Leveraging the Bitsight Security Rating, the only rating independently correlated to the likelihood of a breach and a company's stock performance, over 2,400 companies build trust in their cybersecurity and third-party risk management program. Bitsight helps organizations drive market decisions, like credit analysis, financial ratings, pricing, ESG frameworks, and Mergers and Acquisitions activity. This gives confidence to vendors and the extended organization, enabling a safe and more secure world by empowering better cyber risk decisions.
Bitsight helps organizations identify, quantify, and reduce cyber risk
Bitsight Security Performance Management (SPM) measures an organization's cybersecurity performance over time. With continuous visibility of the organization's extended digital footprint and a differentiated view of the organizations unique hierarchical structure, SPM facilitates organizational cyber risk oversight. Security leaders and their teams rely on BitSight SPM for:
For custom pricing offers, please contact: bitsightawsmp-customoffer@bitsight.com
Highlights
- 44+ trillion raw events collected & 100 billion new events collected each day
- 40 million rated organizations worldwide with 12+ months of historical data included
- For custom pricing offers, please contact: bitsightawsmp-customoffer@bitsight.com
Details
Sold by
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
Security credentials achieved
(1)
SOC2
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
SPM Enterprise Combined | per license (includes 20 benchmarking subscriptions) | $138,550.00 |
Vendor refund policy
No refunds
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Bitsight
By SecurityScorecard
By Safe Security
Top
50
In Device Security
Top
10
In Procurement & Supply Chain, Legal & Compliance
Top
10
In Centralized Risk Management
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Security Rating Platform
Independently correlated cybersecurity ratings platform that measures organizational security performance and likelihood of breach correlation.
Event Data Collection and Analysis
Processes 44+ trillion raw events with 100 billion new events collected daily for threat intelligence and risk assessment.
Historical Data and Benchmarking
Provides 12+ months of historical security performance data across 40 million rated organizations for trend analysis and comparative assessment.
Attack Surface Analysis
Analyzes and provides visibility of extended digital footprint and organizational hierarchical structure for cyber risk oversight.
Remediation Tracking and Prioritization
Enables prioritization of security findings and tracking of remediation activities with accountability framework across the organization.
Continuous Security Monitoring
Monitors 10 risk factor groups continuously across more than 12 million companies using non-intrusive and proprietary data collection methods combined with trusted commercial and open-source threat feeds.
Quantitative Risk Assessment
Delivers quantitative evaluation of cybersecurity posture with an easy-to-understand A to F rating system for rapid vulnerability identification and remediation.
Third-Party Risk Management
Enables objective 360-degree assessment of vendor cybersecurity risks by combining inside-out questionnaire validation with outside-in security ratings to cut through questionnaire noise.
Automated Questionnaire Validation
Supports sending, completing, and auto-validating questionnaires at scale with automatic insight generation into the validity of responses leveraging security ratings data.
Multi-Use Risk Management Framework
Supports enterprise risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight use cases through a single platform.
Data-Driven Risk Quantification
Utilizes the FAIR™ Model to quantify and measure cyber risk with defensible, trustworthy data that meets regulatory requirements.
Unified Risk Management Platform
Consolidates first-party and third-party cyber risk visibility into a single platform with real-time monitoring and assessment capabilities.
Automated Telemetry Ingestion
Automatically ingests diverse telemetry signals from enterprise-wide controls to dynamically represent business exposure to cyber risks.
Risk Scenario Modeling
Provides a library of built-in cyber risk scenarios and enables creation of custom scenarios to visualize business risk exposure and map against known breaches.
Real-Time Risk Tracking
Delivers real-time, measurable tracking of cyber risk posture over time with continuous updates to industry breach data contextualized against organizational controls.
Validated by AWS Marketplace
FedRAMP
GDPR
HIPAA
ISO/IEC 27001
PCI DSS
SOC 2 Type 2
-
-
-
-
-
No security profile
No security profile
Standard contract
No
No
No
Customer reviews
TarunKumar11
Continuous monitoring has improved vendor risk visibility and supports strategic decisions
Reviewed on Jun 02, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Bitsight involves multiple reasons; I used it primarily for continuous vendor risk visibility, and I did not want to rely on annual questionnaires. Vendor onboarding risk assessment, continuous third-party monitoring, and high-risk vendor prioritization capability were essential, as I reported this back to the board and used it for executive dashboarding.
A specific example of how I used Bitsight for vendor risk visibility and prioritization is that it serves as an external cyber risk rating platform or a cybersecurity posture platform that provides outside-in visibility of an organization and third parties. I utilized the features for my third-party risk management framework, conducting attack surface understanding and visibility for third parties. It helped me with continuous monitoring and executive reporting. I view this as a continuous cyber risk intelligence layer that can be used for vendors and helps monitor enterprise risk exposure.
Regarding my main use case, I have nothing specific to add, except for the fact that I did not construe Bitsight as a vulnerability management tool or a scanner, which many organizations use this for. In order to manage the external exposure to the organization, wherein I could manage the domains, IPs, and cloud footprint of third-party service providers, it really helped me in conducting due diligence for potential partners and service providers, and it really supported the organization in merger and acquisition strategy.
What is most valuable?
The best features Bitsight offers include security ratings, also known as cyber score, which helps me do continuous monitoring. I can run this tool for a large number of high-risk vendors, enabling vendor benchmarking. External attack surface visibility is another feature that I used comprehensively, and third-party ecosystem monitoring provides that visibility. Finally, executive reporting dashboards sum everything up.
Among the features including security ratings, attack surface visibility, and executive reporting, scalability is what made the biggest difference for my team's day-to-day work. My colleagues responded positively to the continuous monitoring provided by Bitsight, enabling us to do vendor comparisons and benchmarking, leading to very good executive-friendly risk visualization.
Bitsight has positively impacted the organization by helping with vendor benchmarking and providing outside-in cyber visibility across hundreds of vendors, which is the biggest plus.
The impact includes more contextual prioritization, which is the biggest business benefit I gained. Reporting to the board, getting dashboards, visibility, and analytics is absolutely fine, but contextual prioritization allows me to assess which vendor has the largest exposure and where I need to be more careful, what kind of remediation activities need to be implemented, and this led to faster remediation visibility improvements with the vendor community.
What needs improvement?
There are opportunities for improvement in Bitsight. Better explainability of cyber scores is something that Bitsight can work upon, along with addressing false positives. Better cloud-native visibility to identify where service providers might be exposed, and further enhancements in predictive risk and analytics are areas that can be developed.
I covered the main points about needed improvements, emphasizing that everything else is operational and not a limitation on Bitsight's usage.
I would rate Bitsight closer to nine, or somewhere between eight and nine, because the reasons I do not rate it a ten relate to opportunities for improvement I mentioned, such as broader risk, cyber risk intelligence, and emphasis on supply chain risk intelligence. There is potential for improvement in AI-assisted prioritization as it matures.
I choose eight as my official rating of Bitsight.
I chose eight as my rating for Bitsight because it needs to move in the direction of providing broader risk, cyber risk analysis, working more on supply chain risk intelligence, and using AI for prioritization further. I talked about areas of improvement concerning predictive risk analysis, reduction of false positives, and better explainability of the scores, which justifies my rating as eight rather than ten.
Regarding Bitsight's AI capabilities, I am not very sure about the governance and security aspects of AI that Bitsight uses, as I am not aware of any policies they may have regarding AI usage for their services. However, I think AI should be used much more strongly to enhance predictive analysis by Bitsight.
The accuracy and reliability of Bitsight's output stem from its capability of using AI effectively. AI relies on a lot of data from continuous monitoring, enabling faster risk triaging based on the outcomes generated by the AI engine. I believe it is a highly reliable outcome, and the platform has a mature rating system, provides good benchmarks, and has strong enterprise acceptance, so the outcome from the AI engine is quite reliable but can be further improved for predictive assessments.
For how long have I used the solution?
I have been using Bitsight for over four years, precisely four and a half years, and I have actually used this at Nissan Motor Corporation, where I was the Global Deputy Chief Information Security Officer.
What do I think about the stability of the solution?
Bitsight is stable in my experience; I have not faced any significant downtime or reliability issues, aside from some minor occurrences. It is highly reliable, scalable, and always available.
What do I think about the scalability of the solution?
Bitsight's scalability is impressive; it handles increasing workloads and more vendors easily. I found that its scalable third-party risk assessment operating model is not merely a scorecard dashboard but a comprehensive assessment tool.
How are customer service and support?
The customer support for Bitsight is responsive and helpful.
I would rate Bitsight's customer support a nine on a scale of one to ten.
Nine is my rating for Bitsight's customer support.
Which solution did I use previously and why did I switch?
I did not use any other solution before Bitsight, although I can mention that I conducted POCs with two solutions, SecurityScorecard and RiskRecon , before choosing Bitsight.
What was our ROI?
I see a return on investment with Bitsight clearly, as it becomes evident when I monitor hundreds or even thousands of vendors and replace traditional assessments with continuous monitoring. The ROI appears due to the reduction in manual risk efforts, as I have continuous monitoring instead of periodic assessments, with visibility into third-party cyber posture. Specific examples include a percentage reduction in manual vendor reviews, leading to substantial time savings during onboarding.
What's my experience with pricing, setup cost, and licensing?
My experience with Bitsight's pricing, setup cost, and licensing reflects strong enterprise acceptance; I did not opt for only a one-year annuity-based contract but a multi-year one that was based on the number of IPs, providing great discounts.
Which other solutions did I evaluate?
I evaluated SecurityScorecard and RiskRecon before deciding on Bitsight.
What other advice do I have?
I think I have mentioned the features comprehensively. I do not think anything else is left unsaid; I talked about continuous monitoring, benchmarking, dashboards, and attack surface visibility, along with security ratings and security scores.
My advice for others considering Bitsight is that for enterprises with a sizable third-party ecosystem, it is valuable for continuous cyber risk monitoring and understanding external posture, providing visibility. It should be part of a broader third-party risk assessment strategy, aiding decision-making, especially for organizations managing numerous vendors and supply chains with significant dependency. I recommend Bitsight for continuous monitoring of cyber risk at scale, as its value increases significantly with vendor complexity and organizational maturity.
I believe I have mentioned the necessary improvements comprehensively, which include better explainability of scores, contextual prioritization using AI, reduced false positives, and more predictive risk analysis. My overall rating for Bitsight is eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Computer Software
Finds Public-Facing Security Flaws and Clearly Shows How to Fix Them
Reviewed on May 06, 2026
Review provided by G2
What do you like best about the product?
It finds our public facing security flaws, gives as much info as it has on each finding, and exactly how to fix it.
What do you dislike about the product?
Almost nothing to dislike. The free offering is more than fair but to really use it, it'll cost you.
What problems is the product solving and how is that benefiting you?
Improves our cybersecurity position, helps our public image regarding the integrity of the company, and help the company prepare for security auditing required for certified compliance.
Aditya Vikram Raj
Monitoring external exposure has improved risk scores and supports stronger cyber insurance outcomes
Reviewed on Apr 04, 2026
Review provided by PeerSpot
What is our primary use case?
I was primarily using Bitsight for attack surface monitoring and external attack surface monitoring use case.
I was monitoring all the alerts and the risk score that Bitsight provides. We mainly focused on improving the risk score for a particular organization for which we were using this in an MSSP setup. We were monitoring different scenarios and different alerts that Bitsight was throwing in, such as open ports cases, missing web application headers, and missing web application security headers. We then communicated this to our customer to get those particular things remediated so the risk score could improve over the portal.
What is most valuable?
The user interface and the area that Bitsight covers for attack surface monitoring use cases are excellent features. Bitsight's coverage ranges from open ports to web application security headers and web application headers, which in my opinion are the best features Bitsight offers. Bitsight also covers multiple other scenarios, including email headers, DMARC, and DKIM. Additionally, Bitsight scans for vulnerabilities across the system.
We were able to remediate a lot of positive alerts and our risk score improved on their platform, which further helped us to drive better results in terms of cyber insurance. Cyber insurance providers look for attack surface monitored scores quite seriously, and if your score is good, you are very well covered from an insurance point of view.
What needs improvement?
There was one case scenario where a lot of parked domains were observed for a particular organization that we were monitoring via Bitsight. Bitsight flagged a missing web application header although no exact web applications or web application had been hosted on that particular domain, and it had been in a parked state. We had a discussion with Bitsight team, and their concern was that although no web application was being hosted on that particular domain, it could still be exploited by threat groups. They provided examples in which those domains had already been leveraged by threat groups to emulate ransomware attacks.
From their point of view, Bitsight continues to flag those particular domains in their platform under the missing web application headers criteria. Since if the number of findings increases for a particular month, your overall risk score decreases, which can become a challenge for a team working on this particular issue. Bitsight could work on this use case scenario where they could either exclude or include findings, or create a separate criteria which would not affect the score. When delivering reports to a CISO, CTO, or CIO level, the score is one of the things that gets focused on first. My suggestion is that Bitsight might consider whether findings from parked domains where no web application is being hosted really need to be included in the mainstream findings. Bitsight could create a separate tab or criteria where they could inform customers about these findings without directly including them in the total number of findings. If the total number of findings increases for a particular month, that will impact the overall score, which becomes a challenge for a team working on this field and they have to explain why the score has dropped and whether remediations were not completed the previous month. This is an area that could be improved.
For how long have I used the solution?
I used this particular platform for more than one year in my last role at PwC.
What do I think about the stability of the solution?
Bitsight is quite stable in my experience without any downtime or reliability issues.
What do I think about the scalability of the solution?
Bitsight handles growth and increased workload well when it comes to scalability.
How are customer service and support?
Customer support seems fine to me, and I have interacted with them.
Which solution did I use previously and why did I switch?
Bitsight was my first external attack surface monitoring tool that I used, as I did not previously use a different solution before Bitsight.
What other advice do I have?
If you are exactly looking for external attack surface monitoring, and you are exploring options, then Bitsight is a very good option that you can explore. I have not worked upon any other solutions, but as far as Bitsight is concerned, it gives flexibility in choosing third-party vendor risk agreements and licenses, or a first-party point of view. You can publish your own score as well in case you have any concerns. That flexibility particularly depends upon the license and agreement that you have, whether you are using it from a first-party perspective or a third-party perspective. Bitsight provides this flexibility. I would rate this review an overall rating of eight.
Transportation/Trucking/Railroad
High Cost, Low Signal: More Noise Than Intelligence
Reviewed on Feb 10, 2026
Review provided by G2
What do you like best about the product?
The marketing and positioning are polished. On the surface, Bitsight Threat Intelligence (formerly Cybersixgill) appears to offer broad dark web coverage and an impressive volume of data sources. The promise of automated threat discovery across forums, marketplaces, and paste sites is appealing, especially for teams that lack in-house collection capabilities.
Unfortunately, that promise rarely translates into day-to-day value.
Unfortunately, that promise rarely translates into day-to-day value.
What do you dislike about the product?
The biggest issue is signal-to-noise ratio. The platform generates a high volume of alerts and findings, but a significant portion are low-quality, redundant, or irrelevant. Analysts spend far too much time filtering noise instead of responding to actionable threats.
Performance is another major drawback. Searches and dashboards are often slow, which is frustrating for a tool that claims near real-time intelligence. The UI feels dated and clunky, and workflows are not intuitive.
Support and documentation also fall short of expectations for a product at this price point. Documentation is thin, and support responses are not too helpful.
Performance is another major drawback. Searches and dashboards are often slow, which is frustrating for a tool that claims near real-time intelligence. The UI feels dated and clunky, and workflows are not intuitive.
Support and documentation also fall short of expectations for a product at this price point. Documentation is thin, and support responses are not too helpful.
What problems is the product solving and how is that benefiting you?
In theory, it is meant to solve early detection of credential leaks, brand abuse, and underground chatter before issues escalate. In practice, the benefit is limited because the data requires extensive manual triage to determine what actually matters.
Instead of accelerating response, it often adds operational overhead. The tool identifies “things that exist on the internet,” but stops short of consistently answering the more important question: what requires action right now?
Instead of accelerating response, it often adds operational overhead. The tool identifies “things that exist on the internet,” but stops short of consistently answering the more important question: what requires action right now?
Information Technology and Services
Good Attack Surface Monitoring and Risk management
Reviewed on Jan 07, 2026
Review provided by G2
What do you like best about the product?
Attack surface monitoring, security ratings and descriptive analysis.
What do you dislike about the product?
Mitigating the risks in time to improve the score.
What problems is the product solving and how is that benefiting you?
It is helping to identify the risks with open ports, risk vendors and thus helps us to mitigate the risks and improve security rating.