Published 2026-04-28 — v1.0

Peer comparison methodology

CipherCue compares an organisation against a peer cohort drawn from a published membership index (for example, the FTSE 100 or the Russell 3000). This page specifies exactly how a cohort is defined, which observations are eligible, and how a rate is computed. Peer comparison is reported as a share of cohort members exhibiting an observed condition over a fixed window. It is not a score, a grade, or a verdict.

A cohort rate is a statement about a cohort, not a statement about any one organisation. CipherCue reports that N of M cohort members have an observation of a given type in a given window. We do not infer intent, effectiveness, or adequacy from membership in either side of the rate.

Cohort definitions

A cohort is the set of organisations that share a published membership record. CipherCue v1 publishes rates for the following cohorts, sourced from public index listings:

FTSE 100 — constituents of the FTSE 100 index as listed by the London Stock Exchange.
FTSE 250 — constituents of the FTSE 250 index as listed by the London Stock Exchange.
Russell 3000 — constituents of the Russell 3000 index as listed by FTSE Russell.
ISEQ 20 — constituents of the ISEQ 20 index as listed by Euronext Dublin.

Membership is recorded in the CipherCue graph via the index_membership identifier scheme. Additions and removals track the published index on its next rebalance. Historic cohort rates are not retroactively adjusted when membership changes — a rate published on a given date reflects membership as known on that date.

Apex-domain scope

Every observation used in a peer rate is filtered to the apex domain of the cohort member. CipherCue resolves apex from the organisation's registered website using the Public Suffix List (PSL), publicsuffix.org. Observations recorded against subdomains (eu.acme.com, shop.acme.com) are not counted in a peer rate. This rule is not a preference — it is the methodology. Subdomain DNS, TLS, and fingerprint observations often reflect delegation to a third-party platform (CDN, commerce, marketing) whose configuration is not controlled by the parent organisation, so including them would conflate the parent's posture with the delegated platform's defaults.

Observation window

Rates are computed over a rolling 90-day observation window. A member is counted in the numerator if at least one matching observation was recorded against the member's apex domain in the last 90 days. A member with no observations in the window is counted as zero for that window — absence is treated as "no observed signal".

Sample size floor

CipherCue does not publish a rate for a cohort whose sample size is below 20. Below this floor the rate is reported as not computed. This floor is a methodology constant. Smaller cohorts may still be useful for targeting and watchlist work but the peer rate is suppressed to prevent individual members from being re-identified through the rate.

Metric definitions (v1)

DMARC enforcement

Numerator: cohort members whose apex-domain _dmarc TXT record, as observed in the last 90 days, has a policy of quarantine or reject. Denominator: all cohort members. Source: public DNS query. Authority: RFC 7489.

SPF presence

Numerator: cohort members whose apex-domain TXT records, as observed in the last 90 days, contain an v=spf1 record. Denominator: all cohort members. Source: public DNS query. Authority: RFC 7208.

CISA-listed software observed

Numerator: cohort members with at least one kev_match record observed on their apex domain in the last 90 days. Denominator: all cohort members. Source: CipherCue KEV matcher against the CISA Known Exploited Vulnerabilities catalogue (see KEV matching methodology). Authority: CISA KEV catalogue.

What the customer sees

On an entity's Observations tab, if the entity is a member of one or more published cohorts, a Peers section appears. Each row states the cohort, the metric, the entity's observed value, and the cohort rate with its sample size and window. For example:

Cohort: FTSE 100. Of 99 members, 38 have a DMARC policy of quarantine or reject observed on their apex domain in the last 90 days (38.4%). Acme's apex domain DMARC policy observed on 2026-04-28 was none. Source: public DNS query; cohort sourced from published FTSE 100 membership.

What this is not

Not a score or grade. A cohort rate is an observed share; an organisation's position in the rate is a fact of observation, not a verdict.
Not a prediction of incident likelihood. CipherCue does not claim that cohort members on either side of the rate are more or less likely to experience an incident.
Not a benchmark of adequacy. The rate does not assert that any particular posture is sufficient or insufficient for any organisation's threat model.

Correction

If a cohort membership record is incorrect, or if an observation used in a rate is spurious, email corrections@ciphercue.com. We investigate within 7 days.

Changelog
v1.0 — 2026-04-28 — Initial publication. Apex-domain scope, 90-day window, sample-size floor of 20, three v1 metrics (DMARC enforcement, SPF presence, CISA-listed software observed).