When EzyAudit AI completes a scan of your website, it produces two things: a numerical score from 0 to 100, and a letter grade from A to F. Understanding what these mean — and what drives them — helps you prioritise your remediation efforts and track improvement over time.
How the Score Is Calculated
The score starts at 100 and points are deducted for each security issue found, with deductions weighted by severity:
Critical issues — deduct 15 to 20 points each (e.g. exposed database backup, actively-exploited plugin vulnerability, missing SSL certificate)
High severity issues — deduct 8 to 12 points each (e.g. missing CSP header, no DMARC record, insecure cookie flags)
Medium severity issues — deduct 3 to 6 points each (e.g. missing X-Frame-Options, DMARC set to monitoring-only)
Low severity issues — deduct 1 to 3 points each (e.g. no security.txt file, missing Referrer-Policy)
The final score is clamped between 0 and 100. A site with no detectable issues scores 100.
What the Letter Grades Mean
A (90–100) — Excellent. Your website has strong security practices in place. Only minor improvements are possible. Very few sites achieve this grade.
B (80–89) — Good. Your core security is solid but some secondary controls are missing. Minor improvements will push you to A grade.
C (70–79) — Fair. Several issues need attention. Your site is not critically exposed but there are meaningful gaps in your security posture.
D (60–69) — Poor. Significant vulnerabilities are present. Action is needed soon to avoid exploitation.
F (below 60) — Critical. Serious vulnerabilities exist that pose an immediate risk to your site and its visitors. Immediate action is required.
Risk Levels
In addition to the score and grade, EzyAudit AI assigns a plain-English risk level:
Low risk — Score 80+. Your site has a good security posture.
Medium risk — Score 60–79. Issues present but no critical exposures.
High risk — Score 40–59. Significant vulnerabilities require prompt attention.
Critical risk — Score below 40. Serious flaws that may already be under exploitation.
What Score Should You Aim For?
The realistic target for most websites is a B grade (80+). Achieving an A grade typically requires addressing every single low-severity finding, some of which are minor informational items that may not be practically fixable on all hosting setups.
A B grade means your site has no critical or high severity vulnerabilities, your SSL and security headers are correctly configured, your email authentication is in place, and you are not running any software with known exploitable flaws.
That is genuinely good security — better than the vast majority of websites on the internet.
Using the Score to Track Improvement
The score becomes most valuable as a tracking tool over time. Run a scan, address the highest-severity findings, run another scan, and watch the score improve. This iterative approach lets you make progress even if you cannot fix everything at once.
EzyAudit AI keeps your full scan history so you can see exactly how your security posture has improved (or changed) over time — useful for demonstrating due diligence to clients, partners, or auditors.