diff --git a/pkg/model/models.go b/pkg/model/models.go
index 00b3641..8130f62 100644
--- a/pkg/model/models.go
+++ b/pkg/model/models.go
@@ -1656,12 +1656,20 @@ func supportsAEAD(scan ScanResult) bool {
 }
 
 //see https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
-func toTLSGrade(score int) (grade string) {
+func toTLSGrade(score int, meta strengthMetadata) (grade string) {
 	switch {
 	case score >= 80:
-		grade = "A"
+		if meta.forwardSecret == "" || meta.weak != "" {
+			grade = "B"
+		} else {
+			grade = "A"
+		}
 	case score >= 65:
-		grade = "B"
+		if meta.forwardSecret == "" || meta.weak != "" {
+			grade = "C"
+		} else {
+			grade = "B"
+		}
 	case score >= 50:
 		grade = "C"
 	case score >= 35:
@@ -1751,11 +1759,23 @@ func scoreCipher(cipher, protocol uint16, scan ScanResult) (score string) {
 		}
 		s := (30*mapEncKeyLengthToScore(cc.GetEncryptionKeyLength()) + 30*fsScore +
 			40*mapKeyExchangeKeylengthToScore(cc.GetKeyExchangeKeyLength(cipher, protocol, scan))) / 100
-		return fmt.Sprintf("%d bits, %s%sGrade %s", cc.GetEncryptionKeyLength(), fs, annotateWeak(cc), toTLSGrade(s))
+
+		meta := strengthMetadata{
+			keyLength:     s,
+			weak:          annotateWeak(cc),
+			forwardSecret: fs,
+		}
+		return fmt.Sprintf("%d bits, %s%sGrade %s", cc.GetEncryptionKeyLength(), fs, meta.weak, toTLSGrade(s, meta))
 	}
 	return
 }
 
+type strengthMetadata struct {
+	keyLength     int
+	weak          string
+	forwardSecret string
+}
+
 func annotateWeak(cc CipherConfig) string {
 	weak := "Weak, "
 	switch {
diff --git a/pkg/model/tls_score.go b/pkg/model/tls_score.go
index 49be4b8..35e37c5 100644
--- a/pkg/model/tls_score.go
+++ b/pkg/model/tls_score.go
@@ -6,7 +6,7 @@ func score2009p(s *ScanResult) (result SecurityScore) {
 		adjustScore2009p(&result, *s)
 	} else {
 		//No TLS
-		result.Grade = toTLSGrade(-1)
+		result.Grade = toTLSGrade(-1, strengthMetadata{})
 	}
 	return
 }
@@ -17,7 +17,7 @@ func score2009q(s *ScanResult) (result SecurityScore) {
 		adjustScore2009q(&result, *s)
 	} else {
 		//No TLS
-		result.Grade = toTLSGrade(-1)
+		result.Grade = toTLSGrade(-1, strengthMetadata{})
 	}
 	return
 }
@@ -66,12 +66,12 @@ func computeBasicScore(s *ScanResult) (result SecurityScore) {
 	result.KeyExchangeScore = (keyExchangeMaxScore + keyExchangeMinScore) / 2
 
 	result.CipherEncryptionScore = (cipherStrengthMaxScore + cipherStrengthMinScore) / 2
-
+	var meta strengthMetadata
 	if result.ProtocolScore*result.KeyExchangeScore*result.CipherEncryptionScore == 0 {
 		//if any of the three protocol, key exchange or cipher encryption score is zero, then zero the result
-		result.Grade = toTLSGrade(0)
+		result.Grade = toTLSGrade(0, meta)
 	} else {
-		result.Grade = toTLSGrade((30*result.ProtocolScore + 30*result.KeyExchangeScore + 40*result.CipherEncryptionScore) / 100)
+		result.Grade = toTLSGrade((30*result.ProtocolScore+30*result.KeyExchangeScore+40*result.CipherEncryptionScore)/100, meta)
 	}
 
 	scoreCertificate(&result, s)