Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Public Security Positioning

Public Security Positioning

Section titled “Public Security Positioning”

5 automated security scanners

Customer Security Assurance

Section titled “Customer Security Assurance”

Purpose: This scanner analyzes customer security assurances on a company’s website to assess its public security positioning. It identifies and categorizes various claims of security measures, evaluates their credibility against legal agreements and testimonials, and determines the overall risk level based on detected issues.

What It Detects:

  • Customer security assurances are identified and categorized into absolute claims, guarantee language, impossibility claims, and marketing hyperbole.
  • The sources of these assurances are tracked to assess their authenticity.
  • Compliance with terms of service regarding security promises is checked for contradictions.
  • Testimonials about security measures are scrutinized for verification and authenticity.
  • Potential vulnerabilities in the public security posture are flagged based on detection logic, including impossibility claims, legal inconsistencies, and unverified testimonials.

Inputs Required:

  • domain: The web address of the company’s website to be scanned.
  • company_name: The official name or identifier of the company whose security assurances are being evaluated.

Business Impact: Evaluating customer security assurances is crucial for maintaining trust and transparency with users, especially in sectors where data integrity and privacy are paramount. Misleading claims can lead to legal repercussions and damage corporate reputation.

Risk Levels:

  • Critical: Impossibility claims that contradict technical feasibility or existing contractual obligations without prior liability acceptance.
  • High: Multiple absolute security claims or contradictions between promises on the site and terms of service regarding no warranty clauses.
  • Medium: Single instances of marketing hyperbole in security assurances without clear verification through testimonials or legal context.
  • Low: Minimal unverified security testimonials that do not directly contradict contractual obligations.
  • Info: Informational findings about non-contradictory, verified security claims and compliance with terms of service regarding no warranty clauses.

Example Findings:

  1. A company boasts “impossible” security measures without acknowledging relevant legal agreements or prior liability for such claims.
  2. The site promises strong security features but contradicts these in the terms of service stating there are no warranties, leading to potential user confusion and trust issues.

Comparative Security Positioning

Section titled “Comparative Security Positioning”

Purpose: This scanner analyzes comparative security positioning for a given domain and company by detecting and evaluating various claims made about their security measures. It identifies strengths and weaknesses in public statements regarding security, assesses the credibility of these claims through evidence analysis, and evaluates the competitive stance taken in promotional materials.

What It Detects:

  • Comparative claims that are explicitly stated as superior to competitors.
  • Implicit comparisons without clear methodology or rationale for superiority.
  • Claims of industry leadership with insufficient third-party validation.
  • Use of negative positioning tactics (Fear, Uncertainty, and Doubt) to discredit competitors.
  • Comparisons lacking any disclosed methodology or supporting evidence.
  • A high ratio of undated claims relative to those providing context or date.
  • Outdated competitive data that may no longer reflect current market conditions.

Inputs Required:

  • <domain>: The target domain for the security assessment.
  • <company_name>: The name of the company whose public security positioning is being evaluated.

Business Impact: Evaluating the accuracy and integrity of public statements about a company’s security measures is crucial for stakeholders, including investors, customers, and regulatory bodies. Misleading or false claims can lead to misinformed decisions that may negatively impact business relationships, financial performance, and reputation.

Risk Levels:

  • Critical: The scanner identifies multiple instances where the company has made unsupported comparative claims about its security offerings without any supporting evidence. This could indicate a significant risk of misleading stakeholders and potential legal implications.
  • High: The company’s public statements include implicit comparisons that lack clear methodology or rationale for superiority, which may be used to obscure weaknesses in their security practices. Additionally, repeated use of negative positioning tactics without adequate rebuttals from the company can significantly impact its reputation.
  • Medium: Some comparative claims are not accompanied by any evidence or methodological support, and there is a notable number of undated claims that lack context. However, these issues do not pose an immediate critical risk but should be addressed for long-term credibility and market standing.
  • Low: The company’s public statements generally adhere to accepted practices in corporate communications without egregious flaws or unsupported assertions. There are minimal instances of outdated competitive data and no significant use of fear tactics against competitors.
  • Info: Occasional instances where comparative claims could benefit from additional context or methodological rigor, but these do not significantly impact the overall security narrative or decision-making processes for stakeholders.

Example Findings:

  1. Acme Corporation frequently makes claims about its market leadership in cybersecurity solutions without providing third-party benchmarks or certifications to substantiate these assertions. This practice could lead to investor uncertainty and regulatory scrutiny if challenged.
  2. During a review of competitor data, it was noted that the company’s public statements include outdated information about competitors’ vulnerabilities that are no longer considered significant market threats due to technological advancements in their security infrastructure.

Technology Absence Claims

Section titled “Technology Absence Claims”

Purpose: This scanner analyzes technology absence claims made by a company and identifies if there are any contradictions in these claims based on publicly available information about the company’s website, including privacy policies and third-party service usage.

What It Detects:

  1. Identifies public statements or marketing materials that claim the company does not use certain technologies (e.g., cookies, tracking scripts).
  2. Searches for evidence of these claims in the company’s official website content, including privacy policies and terms of service.
  3. Checks if there are any contradictions between the technology absence claims and actual practices observed on the company’s website or inferred from third-party usage.

Inputs Required:

  1. Domain: The target domain name (e.g., “acme.com”) for which to analyze technology absence claims.
  2. Company Name: The official name of the company associated with the domain, used in reporting results and contextualizing findings.

Business Impact: This scanner is crucial as it helps assess the transparency and honesty of a company regarding its data handling practices. Misleading or false claims about technology absence can indicate potential privacy violations or deceptive marketing practices that could affect consumer trust and legal liabilities.

Risk Levels:

  • Critical: If there are direct contradictions between public statements and actual website practices, indicating significant dishonesty in technology usage disclosures.
  • High: If multiple instances of unverifiable claims are found without clear evidence to support them, suggesting a pattern of deceptive marketing.
  • Medium: If isolated instances of unverified claims exist but are not contradicted by concrete evidence on the company’s website.
  • Low: If there are no apparent contradictions and all claims can be verified through public information sources.
  • Info: For findings that do not directly impact security or trustworthiness but provide informational value about data handling practices.

Example Findings:

  1. Acme Corporation publicly states it does not use cookies on its website, but HTTP request headers reveal the presence of persistent cookies used for essential site functionalities. This indicates a clear contradiction and suggests potential misrepresentation in public claims.
  2. A company falsely claims to have no third-party service integrations despite extensive usage of analytics tools that track user behavior across multiple domains. This not only contradicts stated policies but also breaches trust with users regarding data handling practices.

Security Certification Promotion

Section titled “Security Certification Promotion”

Purpose: This scanner analyzes public security certification promotions for a given domain and company to identify potential risks associated with misrepresented or insufficiently disclosed security certifications. It evaluates the credibility of claims made about compliance with various standards, checks for misleading language in promotion materials, and assesses the transparency provided regarding legal entity affiliations.

What It Detects:

  1. Misrepresentation of Compliance: The scanner identifies when promotions claim that a company is compliant with specific security standards or certifications but does not provide clear evidence to support these claims.
  2. Undated Certifications: Promotions that do not specify the date of certification, which could indicate outdated information or lack of transparency regarding the current status of compliance.
  3. Scope Discrepancies: When promotions claim a broader scope of security certifications than what is actually documented or disclosed.
  4. Legal Entity Specification: The scanner checks whether the legal entity associated with the claimed certifications is clearly specified in promotional materials, which is crucial for understanding the extent and applicability of any claims made about compliance.

Inputs Required:

  1. Domain: The target website’s domain to be analyzed.
  2. Company Name: The name of the company whose security certification promotions are being evaluated.

Business Impact: Evaluating the authenticity and transparency of public security certifications is crucial for maintaining trust in digital interactions, especially when dealing with sensitive information or operating critical infrastructure services. Misleading claims about compliance can lead to legal liabilities, regulatory sanctions, and loss of consumer confidence.

Risk Levels:

  • Critical: Promotions that claim multiple high-level certifications but lack specific dates or detailed scope disclosures.
  • High: Claims of compliance with a single significant standard without supporting evidence or clear specification of the certified legal entity.
  • Medium: Unclear or ambiguous statements about compliance, especially when accompanied by suggestive language implying broader reach than supported by available documentation.
  • Low: Well-supported and clearly dated claims that accurately reflect current status within the bounds of disclosed scope.
  • Info: Informal mentions without specific details that do not directly impact trust but could benefit from clarification or more detailed disclosure.

Example Findings:

  1. A company claiming to be PCI DSS compliant based on a single outdated certification might appear misleading if no other certifications are specified, and the date of the claimed compliance is unclear.
  2. An entity that falsely claims ISO 27001 certification without specifying which part of the organization or any subsidiary entities is certified could lead to significant legal risks due to potential misrepresentation.

Security Award Amplification

Section titled “Security Award Amplification”

Purpose: The purpose of this scanner is to analyze and detect potential amplification of security awards on a company’s public website. It aims to identify whether the company is exaggerating its achievements by mentioning specific awards, which may not be directly associated with credible sources or could be misleading in terms of showcasing credibility.

What It Detects:

  1. Vague Award Claims: The scanner identifies instances where a company claims awards without specifying from which organizations these awards are granted, making it difficult to verify the legitimacy of such claims.
  2. Credibility Issues: It detects if the mentioned award sources or organizations are not recognized as credible in the cybersecurity industry. This includes checking for mentions of non-existent or obscure organizations that might be used solely to inflate a company’s security portfolio.
  3. Suspicious Indicators: The scanner flags any indications of potential pay-to-play scenarios where companies mention awards from entities with which they have a financial relationship, potentially misleading stakeholders about the true nature of such endorsements.

Inputs Required:

  1. Domain: The target website’s domain name (e.g., “acme.com”).
  2. Company Name: The legal name or trading name of the company associated with the domain (e.g., “Acme Corporation”).

Business Impact: This detection is crucial as it helps in assessing the integrity and transparency of a company’s public statements about its security achievements. Misleading claims can lead to misinformed stakeholders, potentially affecting trust and credibility negatively. It also impacts decision-making processes for potential collaborations or investments based on false or exaggerated representations.

Risk Levels:

  • Critical: The scanner flags critical issues if the detected amplification is found to be directly linked to unethical practices such as pay-to-play arrangements, where a company mentions awards from entities with which it has a financial relationship solely for the purpose of misleading stakeholders about its security standing.
  • High: If the detection reveals significant vagueness in award claims and issues related to credibility without direct evidence of unethical conduct, this is considered a high risk level due to potential manipulation of public perception regarding the company’s cybersecurity posture.
  • Medium: Medium risk levels are assigned when there is a moderate presence of vague or suspicious indicators that do not necessarily point towards unethical practices but still suggest some degree of misrepresentation in terms of security awards and their sources.
  • Low: Low risk levels are given if the detection reveals minimal issues with award claims, indicating a generally transparent and ethical approach to public statements about cybersecurity achievements.
  • Info: Informational findings are flagged for minor discrepancies that do not significantly impact the overall assessment but still warrant attention for further review and context clarification.

Example Findings:

  1. A company falsely claims to have won awards from top cybersecurity magazines like “SC Magazine” without providing concrete evidence of such recognition, which could be seen as an attempt to inflate its security credibility.
  2. The detection flags a suspicious pattern where multiple companies mention the same obscure organization for awarding them prestigious prizes in cybersecurity, raising concerns about potential financial inducements or misleading practices aimed at enhancing their public image in this sector.