Methodology
Plain-English documentation for users, prospects, and insurers who need to understand what the number means and defend it.
Overview
The risk score is a number from 0 (highest risk) to 100 (lowest risk). It combines four independent signals, each updated automatically. A score of 100 does not mean a vendor is perfectly secure. It means no publicly observable signals of concern were found at the time of the last update.
The Four Signals
Signal 1: CVE Severity Distribution
We pull all CVEs (Common Vulnerabilities and Exposures) from the NIST National Vulnerability Database for each vendor. CVEs are weighted by CVSS severity.
Scores are capped at 0 and normalized.
Signal 2: CISA KEV Cross-Reference
The CISA Known Exploited Vulnerabilities catalog lists CVEs actively being exploited in the wild. Any vendor CVE on the KEV list adds a severe penalty. This is the most actionable signal because it is objective and real-time.
Signal 3: SSL/TLS Certificate Health
We check each vendor's primary domain for certificate validity, expiry, and configuration issues. Expired or misconfigured certificates indicate poor security hygiene.
Signal 4: DNS Security Configuration
We verify SPF, DKIM, and DMARC records. Missing email authentication records are a leading indicator of phishing risk.
Blast Radius Weighting (portfolio-level only)
When you tag vendors with data classification (PII, Financial, IP, or None) and operational criticality (Mission Critical, Important, Nice to Have), your portfolio health score is weighted accordingly.
A mission-critical vendor handling PII counts 3x more than a nice-to-have vendor with no data sharing. This ensures your portfolio score reflects actual business exposure, not a flat average.
Update Frequency
What the score is not
Want to understand how we protect the data you share with us?
Read our trust page