CyberRisk Release Notes

March 19 2020

  • We’ve launched a new “Risk Assessment” feature: This allows you to capture the results of risk assessments you conduct on your vendors. This feature is currently available on request. If you are interested in trying it out, please contact our support team. It allows you to:
    • Specify the evidence you reviewed as part of the assessment (including questionnaires and automated scan results)
    • Document your findings based on this evidence
    • Record who conducted the assessment
    • Export the assessment as a PDF
    • Make the assessment visible within the app to all the users of your account.
  • Pandemic questionnaires: We have added two questionnaires (with varying levels of detail) to help you assess your vendors’ readiness to deal with the current pandemic.
  • Improved PDF report generation: When you export information to a PDF it will now appear in a new left-hand menu item called “Reports”. This change also fixes a bug where generating reports for large vendors would sometimes time out.
  • We’ve added an API that returns information about your company’s Identity Breaches
  • We’ve made it easier to tell which domains and IPs you’ve added manually to your BreachSight view
  • Quite a few bug fixes and minor tweaks

February 19 2020

  • New Vendor Summary: When you look up a vendor, the first page you see is now a new Vendor Summary. This provides a management-level view of the vendor, and can also be exported as a pdf.
  • Enhanced Risk Profile: We’ve made a number of improvements to the Risk Profile page, including the ability to filter by risk category (e.g. website risks, email risks, etc.)
  • Websites & APIs is now called Domains and IPs
  • Greatly enhanced port scanning: We now explicitly check for nearly 200 services running across thousands of ports. We also report any services that we can’t identify, and any open ports where no services are detected.
  • We’ve made some changes to our scoring algorithm:
    • Updated email security checks: this includes a new check for the DMARC policy (which fails if p=none). For information on email security, see
    • Improved checking for open ports/services: As part of enhancing our port scanning capability, we have reviewed and updated the severity of risks associated with open ports / services.
    • The HSTS checks now include a check against the Chromium preload list. If a domain is on the preload list, all HSTS checks pass for that domain and all its subdomains
    • Updated domain status checks for .au domains: We no longer check for clientTransferProhibited or serverRenewProhibited on .au domains, as they are not applicable
  • Changes to open ports can now be reflected in CyberRisk sooner, by pressing the “RESCAN” button. When a port is closed, manually requesting a rescan of the website will now detect the change to the port sooner (usually within a day).
  • WHOIS lookup within Typosquatting: When you view a registered permutation of a domain you are monitoring for typosquatting, you can now see that permutation’s WHOIS information
  • New Questionnaires: We have added questionnaires for PCI DSS, CPPA, and Modern Slavery.

January 22 2020

  • Export Vulnerabilities: You can now export the list of vulnerabilities
  • Better domain discovery: We’ve made further improvements to our domain discovery engine, which results in more domains and subdomains being discovered.
  • Various usability tweaks and bug fixes

December 23 2019

  • NIST Cybersecurity Framework (CSF) Questionnaire: We have released a new questionnaire that is mapped to NIST CSF. To use this questionnaire, you'll first need to enable it from the "Questionnaire Library" section of Vendor Risk. When one of your vendors completes a questionnaire, any risks identified will be mapped to the corresponding CSF control categories. 


December 11 2019

  • Share your security profile: Make it easier for other companies to assess your cybersecurity posture by proactively publishing security-related information including questionnaire responses and other security documents. Control who has access to these documents, and see who has viewed them. Invite companies to view your Shared Profile when they are assessing you, and spend less time completing security questionnaires. See for more information, or contact UpGuard Support to enable your Shared Profile.
  • Export questionnaires: Download completed questionnaires as pdfs.
  • Questionnaire workflow improvements: When you receive a completed questionnaire, mark it as “in review” to keep track of who in your team is reviewing which questionnaire response.
  • API enhancements: Data leaks are now available through the API. See the API documentation for more details.
  • Various bug fixes


November 11 2019

  • Executive Summary Report: We’ve created a new report to provide a summary of your own cybersecurity posture, and that of your vendors. We’ll be activating it for existing customers over the next week or so.  As part of this change you’ll notice the “Dashboard” page has been replaced with two new pages - the "Executive Summary", and a dedicated “Notifications” page.  See for more details.
  • Enhanced file upload feature for questionnaires: When providing evidence as part of responding to a security questionnaire, you can now point to a file that you've already uploaded. This allows the same file to be referenced as evidence for multiple questions without having to upload multiple copies of it.
  • Various bug fixes, including some display issues related to the Microsoft Edge browser.

October 16 2019

  • You can now receive notifications when your company's score drops below a certain threshold, or by a certain number of points.  To opt in and out of these notifications, use the "manage notifications" link on the dashboard page. To customise the set notifications available to users in your account, go to Account Settings -> Notifications (admin users only).
  • The Insecure SSL/TLS Versions check now fails for TLSv1.1, in addition to SSLv2, SSLv3, and TLSv1.0. See RFC 7525 for more detail on why TLSv1.1 should be disabled.
  • We fixed a bug where for some websites we would incorrectly report old versions of TLS as being available.
  • We improved the way we display vendors who's primary domain does not have a website running on it.

September 18 2019

  • WordPress scanning: Whenever we detect that a site uses WordPress, we now run a series of additional security checks. These checks identify configuration problems that leave WordPress sites vulnerable to attack.
  • Supply Chain Concentration Risk (beta):  We have launched a beta of a new feature which highlights where companies in your supply chain (e.g. your vendors) rely on common underlying technology (e.g. hosting providers, email providers).  Contact UpGuard Support if you would like early access to this feature. 
  • The character limit for messages you include when sending questionnaires has been increased from 300 to 1000
  • Various bug fixes

September 3 2019

  • We’ve improved the way we display your list of vendors and instant reports.
  • You can now search for vendors by URL as well as name
  • We’ve improved the way questionnaires are displayed, including making it easier to view the risks, and improving the question numbering
  • We've changed the algorithm for scoring questionnaires to improve the way unanswered questions are weighted.
  • We’ve improved the way “Assurance” customers view their customer portfolio

August 7 2019

  • You can now add custom labels to your websites in BreachSight, just like the labels you can already add to your vendors in VendorRisk. You can then use labels to filter websites on all pages where your websites are shown.
  • UpGuard has now been added as one of your monitored vendors in VendorRisk, if you were not monitoring the UpGuard vendor already. This will not count towards the available monitored vendor slots in your account. If you are not using VendorRisk already, you will now be able to access it, with UpGuard as your only monitored vendor.
  • We've improved our risk model for redirect domains. These are domains that redirect users to a different domain, and do not themselves host a website. Before this change, if redirected to, some of the risks that we scan for were only being identified on, and was not being checked for all possible risks. With this change, all risks applicable to will now be correctly identified. The most significant new risks that you may start seeing on redirect domains are related to HTTPS support and SSL certificate issues. You may notice some fluctuations in website scores as this change is rolled out, but the end result will be a more accurate reflection of the risks associated with these domains.
  • It's now easier to manage your Cyber Risk API keys from your account Settings page. You can have multiple active API keys, and specific keys can be deleted. This allows API keys to be rotated more easily, when required.
  • Various bug fixes.
  • You will now be notified on your Cyber Risk dashboard when we release new features in future. Keep an eye out for the notification.

July 23 2019

  • You can now add "private" notes to questionnaires and remediation requests. These are visible to users of your account, but not to the recipients of the questionnaire or remediation request.
  • We've improved how we present your own score. When we display your own company's score to you, we can draw on public information (such as the configuration of your websites) as well as private information (such as which vendors you have marked as "in use"). This lets us provide the most complete view of your security posture. When someone else (another CyberRisk customer) looks up your company however, we report your score based only on the publicly available information. This has caused some confusion, and to address this, we've changed the way you see your own score on your "Risk Profile" page. You can now choose to either see your "public" score, or also factor in the private data you have provided.
  • When you manually request a scan for a given website, we are now rescanning for open ports on that website more quickly. At times it may still take a while for refreshed port scan data to flow through, but it should often appear within 10 minutes or so. Note that when ports change from "open" to "filtered" (as opposed to "closed"), it will still take up to 30 days for changes to flow through.
  • When you manually request a scan for a given website, and the scan fails (for instance, if the website is no longer running) we now report the failure, as well as how many times it's failed previously, and when the website will be removed (after 4 consecutive failures).
  • You can now request remediation or create a risk waiver from the Risk Profile page, or while looking at the details of a specific website.
  • We fixed a problem with vulnerabilities where some websites that use shared IP addresses would have vulnerabilities incorrectly assigned to them.
  • We've made a number of UI improvements and bug fixes

July 9 2019

  • We now allow vendors to be filtered by a score range, and use this to provide a clickthrough from the vendor breakdown on the dashboard.
  • We have extended vendor filtering to cover the contents of the dashboard (including the vendor breakdown) and the remediation list.
  • We have created a questionnaire library, allowing account admins to easily configure which questionnaire types are able to be selected and sent by their users.
    It also allows non-admin users to browse and preview those questionnaire types that have been selected for the account.
  • Various bug fixes

June 26 2019

  • The Data Leaks workflow has been simplified. Now there are only 3 states for a Data Leak - Disclosed, Acknowledged, and Closed. The Closed status still includes the reason for closure (Fixed, Not a Risk, or Risk Accepted), and can be verified by an UpGuard analyst as an additional final step.
  • The Documents list on the Questionnaire Details page now includes all documents relevant to the questionnaire, and whether they have been included or not. This allows users to easily see which documents have been uploaded and which have been omitted.
  • Users can now include a message when requesting remediation, which will be visible to the recipient.
  • Users must now include a "justification" when creating a risk waiver which will be visible to the approver, if one exists. If there is a separate approver, their justification will be shown separately.
  • Score history (up to a year if the data is available) is now enabled by default for all accounts.
  • There is a new action in the Actions dropdown to "Send a message" available on the Questionnaire Details screen. This prompts the user to enter a message in the Correspondence section.
  • Admin users can now remove themselves from an account, as long as there is at least one other admin user on the account.
  • Various bug fixes and cross-browser improvements.

June 12 2019

We have added several major new features to the CyberRisk platform:

  • Risk Waivers: Use risk waivers to accept risks and hide them from your risk profile. This is especially useful when you have compensating controls in place which you believe mitigate the risk. Currently risk waivers can be applied to risks identified with your own Internet-facing assets (your own “Web Risks” identified in BreachSight). See for more information.
  • Enhanced Vulnerabilities Detection: We have improved the way we detect vulnerabilities, both with your own web assets (in BreachSight), and those of your vendors (in VendorRisk). We also explicitly check for the recently discovered BlueKeep vulnerability. See for more information.
  • Typosquatting Detection: We have launched a new module to help you manage your typosquatting-related cyber risk. You can choose which domains you want to monitor, and then review and monitor the registered and unregistered permutations of these domains for suspicious activity. Contact UpGuard Support to arrange access, or see for more information.

We have made a few other changes too:

  • When viewing a list of websites (“Web Risks”), you can now view as a tree to make it easier to navigate subdomains
  • Various bug fixes

April 17 2019

We have just released a new version of CyberRisk, which brings several minor enhancements and a number of bug fixes:

  • Attachments now supported in-line within questionnaires, rather than all being at the end of a questionnaire. This makes it easier to correlate specific questions with evidence (documents).
  • When you start monitoring a vendor, you can now apply custom labels (as well as the built-in labels).
  • In VendorRisk, you can now see the date that your allocation of Instant Reports rolls over.
  • Various bug fixes

April 5 2019

  • Integrations: CyberRisk now enables you to call out to external Webhooks when notifications (events) are generated. For instance, you may want to send a message to one of your internal systems whenever a new data leak is detected. For instructions on how to set up integrations see
  • VendorRisk - view unanswered questions: When viewing the details of a questionnaire there is now a panel which shows which questions have not been answered.
  • VendorRisk - Disable “Questionnaire Marked as Complete” emails to vendors: When you mark a questionnaire as “Complete”, CyberRisk previously sent an email back to the recipients of that questionnaire, telling them you have marked it as complete. The purpose of this was to give your vendor feedback that you are satisfied with their response, and have completed the review process. Based on user feedback, this email no longer gets sent unless you explicitly activate it. This is done (by an account admin) in the “Questionnaires” tab of the “Account Settings”.
  • Various bug fixes