Methodology · Watchlists / leaderboards

Curated rankings, never sponsored, always appealable.

Cipherwake publishes sector and thematic watchlists at /watchlist/<slug>. This page documents how list members are selected, how rankings are computed, the tie-break rules, and the explicit no-sponsored-placement rule that protects list integrity.

How members are selected

Each watchlist has a published selection rule, visible at the top of its page. Examples:

Top US banks (asset size) — Federal Reserve "Large Commercial Banks" list, top 50 by consolidated assets.
Top SaaS by ARR — public-source ranking (latest fiscal year disclosed).
S&P 500 healthcare — index membership as of the published reference date.
Most Improved / Fixed This Week — derived from score_history table; biggest score improvements in the trailing 7-day window.

Membership is mechanical from a public source — we do not handpick organizations onto a list, and we do not remove organizations from a list at their request. Inclusion is not opt-in or opt-out.

How rankings are computed

For each list member, we run our standard public scan and rank by DBR score (lower is better). Ties break on:

certLifetime subscore (lower wins)
keyPersistence subscore (lower wins)
Alphabetical (deterministic floor)

Reranking cadence: nightly cron rescans every list member; rankings update on completion. Score-history is preserved so trend rankings (Most Improved, Worst This Quarter) remain meaningful.

The appeal-a-score path

If you operate a domain on a Cipherwake watchlist and you believe its score is wrong, factually inaccurate, or based on a transient misconfiguration that has been remediated, you can request a re-scan or appeal via /feedback. We will:

Re-run a fresh scan within 24 hours of receipt.
If the new score differs, the list reflects the new score on the next nightly cycle.
If you believe the methodology itself is wrong, we publish corrections + revise — we do not adjust scores for individual organizations off-methodology.

No sponsored placement Cipherwake does not accept payment to alter watchlist membership, ranking, or score. There is no "verified" tier, no "sponsored peer," no "remove from public view" option. The Verified Monitoring Badge (planned paid product) is a self-attestation embed — it does not change a domain's position in any leaderboard.

What watchlists do NOT claim

"Worst" is not "compromised." A bottom-of-list domain has high HNDL exposure, not an active breach.
"Best" is not "secure." A top-of-list domain has good public-surface posture; internal exposure is still 12-40× this score (per the DBR limits).
Membership is not endorsement. Inclusion on a sector list does not mean Cipherwake recommends or vouches for any organization.
Rankings are not commercial. We are not a vendor-comparison shopping site; we measure crypto posture only.

Limitations + edge cases

Definition drift. "Top 50 banks by assets" reflects a snapshot date; mergers and rebrands cause rolling discrepancies.
Domain ambiguity. Multinationals operate dozens of country-TLD variants; our list typically scores the canonical primary domain. Subsidiary domains are not auto-included.
Static-IP / WAF blocking. Some financial-sector domains aggressively block scanners; their scan returns "reachable: false" and we score it as such (transparent missing-data state, not an inferred grade).
Selection-list maintenance. When a public source list refreshes (e.g. annual asset rankings), our membership may shift in ways unrelated to the underlying domain's posture.

Try it

Browse all watchlists at /watchlist.
Appeal a score: /feedback.