By Art Murphy
A few weeks ago, I sat down with a table full of C-level execs from private equity and hedge funds. The conversation went wide from SEC prep (of course) to cyber hygiene, and then someone mentioned an LP asking about their Drawbridge Score and the whole table paused. No one asked, “What’s that?” They all knew.
Let’s be honest that’s not where we were a year ago.
The fact that our score has become recognizable shorthand for cyber posture. Wild. But not exactly surprising. The truth is, for years, the industry has needed a simple, shared way to communicate cyber readiness one that GPs, LPs, regulators, and insurers can all understand. Until now, that’s been a unicorn. Why? Because the traditional approach to cyber scoring has been… kind of a mess:
- Every provider inventing their own formula (and selling it like its gospel)
- Firms getting “grades” based on narrow, black-box views of cyber risk
- Thousands of frameworks, tools, and vendors muddying the waters
It’s made consistency almost impossible, and measuring improvement even harder.
Enter: The Drawbridge Score
In 2024, we decided to change the game.
Working with a deep bench of CISOs, allocators, and investment leaders, we developed the Drawbridge Score a data-driven cyber risk score designed to meet the reality of this market. It’s already being adopted by GPs, LPs, portfolio companies, and ODD teams as the modern benchmark.
But here’s the twist: the Drawbridge Score doesn’t try to “grade” you. No red pens or gold stars. Instead, it shows a firm’s relative position in the broader ecosystem based on benchmarking, peer data, and what matters across readiness, documentation, infrastructure, and governance.
It’s objective, actionable, and importantly, not something you can “game.” (No offense to those who try.)
What It Measures (and Why It Matters)
The Drawbridge Score evaluates across four critical dimensions:
1. Infrastructure & Operations
2. Policies & Governance
3. Testing & Controls
4. Evidence & Documentation
Each section is calibrated to spotlight both systemic weaknesses and potential resilience — including indicators of future risk.
And what we’re seeing across early scores has been telling:
- 48% don’t run external penetration testing more than once a year
- 1 in 5 firms lack continuous vulnerability scanning
And too many programs are still stuck in “check-the-box” territory
Without insight, there’s no progress. The score gives firms the visibility to prioritize what’s next, tell a clear story to stakeholders, and prove that cyber isn’t just a checkbox it’s part of operational alpha.
Why This Matters for the Industry
The Drawbridge Score isn’t just a compliance tool it’s a communication tool. It builds trust across stakeholders and helps firms shift from reactive posturing to proactive posture. It also enables teams to:
- Track improvement over time
- Align remediation to actual risk
- Navigate regulatory expectations (hello, SEC, FCA, ESMA, DORA…)
Cyber risk is no longer a side conversation it’s showing up in capital raising, deal flow, insurance, and valuation. Firms that invest in the right programs (and can prove it) are going to stand out not just because they’re safer, but because they’re sending the right message to the market.
The Takeaway
As the threat landscape evolves, the firms that earn trust will be the ones that can show they’re ready not just say they are.
The Drawbridge Score is helping them get there. One signal, one benchmark, one story that cuts through the noise
