Glossary
The terms behind the numbers.
Plain-English definitions of the 12 indices across three layers, the two headline composites (CXI and MPI), and the methodology, source, and compliance terms they rest on. For the full formulas, see the methodology.
Indices
- Cyber Exposure IndexCXI#
- The exposure-layer headline: a 0–100 composite (higher is worse; bands Low / Elevated / High / Critical) that client-weights the five exposure indices — CES, IMI, RPS, BLV, BIR — into one board-level number. No collection of its own. Data-gapped inputs are excluded and the weights re-balance; the uncertainty band is propagated from its components, so it never reads tighter than its inputs. One of the two headline scores, alongside MPI.
- Market Position IndexMPI#
- The market-layer headline: a 0–100 composite (higher is better; bands Weak / Moderate / Strong / Dominant) that weights the four market indices — WTI, SVI, BZV, SRS — into one board-level number answering "how are we doing vs. the market?" Brand/market-aggregate only, never individual-person profiling. The competitive indices (SOV, CTB, FLR) are reported beside it, never folded in. The second of the two headline scores, alongside CXI.
- Credential Exposure ScoreCES#
- Credentials tied to a domain — infostealer infections (Hudson Rock) and breach-tied addresses (optional HIBP) — severity-weighted (active stealer sessions outrank old breach entries). The leading account-takeover precursor; the exposure index behind the free teaser.
- IAB Mention IndexIMI#
- Frequency and pricing of initial-access-broker listings referencing a client across public and low-cost sources (Intelligence X, public Telegram previews, OTX pulses), plus manually-corroborated mentions. A near-term, imminent-access signal — brokered access is often the step before a ransomware affiliate buys in. Best-effort and public-only today; likely undercounts.
- Ransomware Proximity ScoreRPS#
- Exposure to active ransomware crews from externally-observable signals: exposed known-exploited CVEs (CISA KEV), EPSS-weighted exploit probability, ransomware-family activity, sector victim-similarity, and infrastructure reputation. The dominant cyber-insurance loss driver, quantified without touching the operators.
- Web Traffic & GrowthWTI#
- Traffic strength and growth from public domain-rank data (Tranco; licensed visit estimates optional). A market-layer index feeding MPI — higher is stronger. An unranked domain is a data gap, never scored as zero traffic.
- Search & SEO VisibilitySVI#
- Search interest and lookup demand across public signals (Google Trends + Wikipedia pageviews), blended so one flaky source can't zero the index. A market-layer index feeding MPI — the warming or cooling of the top of the funnel.
- Buzz VolumeBZV#
- Trailing-window public mention volume across news, social, and forum sources (GDELT, plus Reddit when keyed). A market-layer index feeding MPI that doubles as incident early-warning — a spike is either a campaign or a problem. The query is always disambiguated, never the bare brand word.
- Sentiment & ReputationSRS#
- Tone of public coverage and mentions, mapped 0–100 around a neutral 50 (media tone + a news-headline sentiment lexicon). A market-layer index feeding MPI — brand health and PR risk, trended. No coverage is a data gap, never a score.
- Share of VoiceSOV#
- The brand's share of the peer set's total public mention volume (same sources as BZV, measured for every named peer). A competitive diagnostic reported beside MPI — who is winning attention in the category — never folded into the composite.
- Competitive Traffic BenchmarkCTB#
- The client's position in the peer traffic leaderboard, from the same public rank data as WTI. A competitive diagnostic reported beside MPI. An unranked client is a data gap, never scored as last place.
- Feature & Launch RadarFLR#
- Competitor moves detected from public sources — homepage/site changes (content-hash diff) and launch/announcement press (GDELT). A competitive diagnostic reported beside MPI: what rivals shipped while you read the report.
- Brand Leak VelocityBLV#
- The rate at which proprietary brand assets, internal documents, and identifiable data appear across public leak channels and paste sites — a velocity, not a count, so an accelerating leak surfaces before the total volume looks alarming.
- Brand Impersonation ReachBIR#
- The audience reach of typosquat domains, mirror sites, and impostor social profiles imitating a client, weighted by estimated traffic — so takedown spend is directed at the impersonations that actually reach people.
Methodology
- Uncertainty band#
- Every index ships with an uncertainty band, not a false-precision point estimate. It is a heuristic width (method heuristic-v1) driven by source coverage and recency — honestly labeled, not a calibrated statistical confidence interval. Thin or stale evidence widens it; for a composite it is propagated from the components, so it never reads tighter than its widest weighted input.
- Data gap (not measured)#
- When every source behind an index is unavailable, the index reports a data gap — "not measured" — and is excluded from its composite, which re-balances over what was measured. A source outage can never read as a low score. A measured zero (a source answered and found nothing) is distinct: it is a real, reported zero, not a gap.
- Peer-cohort benchmark#
- A score compared against a bucket of peers defined by sector × workforce-size band × revenue band. An observed peer percentile is only reported once a bucket reaches N ≥ 5; below that, the score is benchmarked against a documented modeled baseline, labeled as such — a modeled prior is never presented as an observed percentile.
- Time decay (half-life) — roadmap#
- A planned refinement: age-weight signals on a category-specific half-life so a score reflects current rather than historical exposure. Not applied today — the current free sources return timestamp-less aggregate counts, so there is no reliable per-record age to decay. Stated honestly rather than implied.
- Multi-source corroboration#
- A signal confirmed in two or more independent sources scores higher than a single-source claim, and single-source signals are flagged. The core control against acting on a plausible-but-wrong finding.
- Attribution#
- Matching an observed signal to assets a client verifies they own — domains, brands, registered marks — rather than fuzzy name matches. Ambiguous or low-confidence matches are reported separately as candidates, never folded silently into the headline score.
- Methodology version#
- Every index output is anchored to the methodology version it was computed under. Source-list or formula changes require a version bump and client notice, so any historical value can be replayed and audited under the rules in force at the time.
- Evidence package#
- A sealed bundle of the raw observations AND the derived finding behind an index value at a timestamp: SHA-256 content hash, a per-tenant HMAC seal, and an Ed25519 signature verifiable against a published public key — no shared secret required to check it. A buyer (underwriter, M&A team) can replay any number instead of trusting it.
Sources
- Stealer log#
- Output of infostealer malware (RedLine, Lumma, Stealc, Vidar) — captured credentials, cookies, and session data from an infected device. High-severity for CES because an active stealer session can bypass a password reset.
- Combolist#
- A compiled list of email/username + password pairs aggregated from past breaches and circulated publicly. Lower severity than a fresh stealer log, but a volume signal for credential exposure.
- Initial Access BrokerIAB#
- A threat actor who sells footholds into already-compromised organizations to other criminals (often ransomware affiliates). Listings referencing a client feed the IMI.
- Leak site#
- A public site, typically run by a ransomware crew, that names victims and publishes stolen data to pressure payment. A direct input to RPS and BLV. We observe these; we never authenticate to or interact with their operators.
Data & compliance
- Identifier hashing#
- Personal identifiers are SHA-256 hashed with a 90-day rotating salt at the collector boundary, before storage. Only the hash plus observation metadata is persisted. Plaintext dereferencing requires verified domain ownership and a documented lawful basis.
- Lawful basis#
- The legal ground for processing data. Collected signals rely on legitimate interest with minimization at ingest (GDPR Art. 6(1)(f)); first-party form submissions (waitlist, teaser, resource requests) rely on consent and are stored as given, with a deletion endpoint.
- Retention#
- Collected signals are kept for a 13-month default, configurable per data category; first-party leads are retained until a deletion request. A GDPR Art. 17 / CCPA deletion endpoint is live before any production tenant.
Want to see an index on your own domain? Start with a free CES teaser, or read why we're a bureau, not a platform.