BitSight is rolling out a major update to its security ratings system in 2025, with a stronger focus on how organizations secure their web applications. The 2025 Ratings Algorithm Update (RAU 2025) enters preview on April 8, 2025, giving customers time to understand potential score changes before the update takes full effect.
The headline shift is the move from legacy header checks to a broader web application assessment model. RAU 2025 makes Web Application Security (WAS) rating-impacting and replaces the older Web Application Headers (WAH) risk vector, which becomes informational and is eventually deprecated.
BitSight also notes analytics improvements across other risk vectors, aimed at making ratings better reflect real-world security conditions.
Web Application Security Risk Vector Replaces Legacy Header Checks
BitSight introduced the Web Application Security (WAS) risk vector in 2023 as a more comprehensive way to evaluate web application health. It builds on what WAH measured, but expands coverage to include a wider set of security assessments tied to real application risk.
WAH largely focused on whether specific security-related HTTP headers were present. WAS goes further by incorporating checks mapped to issues aligned with the OWASP Top 10, helping surface risks that are more closely connected to modern exploitation patterns and misconfigurations.
Under RAU 2025, WAS accounts for 5 percent of the overall BitSight Security Rating, matching the weight previously assigned to WAH. In other words, the weighting stays the same, but the signal behind that portion of the score becomes more meaningful.
What the 2025 BitSight Update Means for Organizations
For many organizations, the biggest impact is that web application security will be measured in a way that better reflects real risk. Since WAS is designed around a broader set of application security best practices, teams may see rating movement even if their header configuration has been strong.
The preview window is also a practical opportunity. Companies that use BitSight for vendor assessments, partnership requirements, or internal benchmarking can review WAS findings early, then prioritize fixes before the change is fully implemented. BitSight indicates the RAU 2025 web application change becomes rating-impacting with the RAU rollout on July 10, 2025.
To stay ahead of score shifts, organizations should focus on the fundamentals: reduce exposed web app weaknesses, tighten configurations, and use OWASP-aligned remediation as a guide for prioritization.
