The SecurityScorecard belongs to the category of security ratings. From publicly observable signals — DNS configuration, certificates, address reputation, exposure indicators —, it produces a comparable score that synthesizes an organization's security posture from an external perspective. It is a mature and widely adopted tool.
For what it proposes, it performs well. In third-party risk management programs, it offers a quick and standardized way to compare dozens or hundreds of suppliers, track the evolution of the posture over time, and support contractual conversations based on a common metric. Risk teams, procurement, and governance extract real value from this consolidated view.
The limitation is inherent to its format. A score is an indicator of trend in apparent posture. The actionable inventory of surface and confirmation of exploitability answer other questions. It answers "what is the apparent posture of this organization," not "which unknown assets are exposed" nor "is this vulnerability actually exploitable in my environment." These are different questions, and require different tools.