Sign in Get a demo

Per-vendor scores. Portfolio-level rollups. Same scoring engine across the platform.

Vendor scores are useful when they're consistent, defensible, and tied to real exploitation signal. Automated Risk Scoring uses the same scoring engine as the rest of Deepinfo: per-vendor scores rolled up from per-asset findings, vulnerability scoring enriched by EPSS exploit prediction and CISA KEV actively-exploited flags, portfolio-level rollups for board reporting and procurement gating.

Request a demo Get a free threat exposure report
WHAT THIS DOES

Consistent scoring across every vendor and the portfolio.

Each vendor's findings roll up into a per-vendor score on a unified scale. The score weights findings by severity and by real-world exploitation signal, identical to the methodology used for internal-asset scoring in EASM. Apples-to-apples comparison across your vendor portfolio is possible because the scoring math is the same for every vendor.

Portfolio rollups aggregate vendor scores into category-level views (your top 10 vendors by spend, your critical-data vendors, your regulated-vendor sub-portfolio) and a single portfolio score. Trend tracking shows portfolio-level posture changing over time. Score-threshold alerts route to procurement and risk teams when a vendor crosses a defined floor.

HOW IT WORKS

Three signals per vendor score, same as the rest of the platform.

CVSS for the baseline. EPSS for exploit-prediction signal. CISA KEV for confirmed in-the-wild exploitation. The same three-signal methodology applies to vendor scoring as to internal-asset scoring.

CVSS, the baseline.

Common Vulnerability Scoring System for vendor-side CVE findings. Necessary, not sufficient.

EPSS, exploit prediction.

Exploit Prediction Scoring System probability that a vulnerability will be exploited in the next 30 days. EPSS lets you separate the genuine queue-toppers from theoretical-criticals on vendor infrastructure too.

CISA KEV, confirmed exploitation.

CISA Known Exploited Vulnerabilities catalog. CVEs confirmed to be exploited in the wild get top-of-queue treatment regardless of CVSS.

WHAT IT SURFACES

Where vendor scores show up in your workflow.

Per-vendor score

Unified-scale score per vendor with finding-level breakdown for drill-down.

Portfolio score

Single aggregated score across the vendor list for board-level reporting.

Category rollups

Spend tier, regulated vendors, critical-data vendors, and other configurable category cuts.

Score timeline

Trajectory per vendor and per portfolio over weeks and months.

Score-threshold alerts

Routed alerts when a vendor crosses a defined floor on the unified scale.

Procurement-gating views

Risk-stage approval views with score thresholds wired into procurement workflows.

Board reporting views

Portfolio trend over time, ready for board-deck inclusion.

PART OF TPRM

Scoring closes the TPRM workflow.

Smart Third-Party Discovery surfaces vendors. Continuous Monitoring scans them. Comprehensive Risk Assessments classify findings. Automated Risk Scoring rolls everything into per-vendor and portfolio-level scores. Compliance Tracking maps the same data to your compliance framework. One workflow.

TPRM · CONTINUOUS MONITORING

Continuous Monitoring

Learn more TPRM · COMPREHENSIVE RISK ASSESSMENTS

Comprehensive Risk Assessments

Learn more TPRM · COMPLIANCE TRACKING

Compliance Tracking

Learn more
← Back to TPRM

“Per-vendor scores using the same engine that scores our own assets means the vendor risk picture is comparable, defensible, and tied to real exploitation signal. Procurement reviews stopped feeling subjective.”

— Head of Vendor Risk, Healthcare System
CONTINUE EXPLORING

Explore the full platform.

EASM · EXTERNAL ATTACK SURFACE MANAGEMENT

See your entire attack surface. Act on what matters.

Continuous discovery and monitoring of every internet-facing asset, including subsidiaries and acquired companies.

See module CTI · CYBER THREAT INTELLIGENCE

See what’s exposed. Act before it’s exploited.

Dark-web monitoring, breach corpora, infostealer logs, and threat-actor activity tied to your organization.

See module BRP · BRAND RISK PROTECTION

Keep an eye on the internet. Protect your brand.

Lookalike domains, fake apps, fraudulent listings, and brand abuse caught in hours, not weeks.

See module TPRM · THIRD-PARTY RISK MANAGEMENT

Every third party carries risk. See all of it.

Continuous external monitoring of every approved vendor with the same depth as your own surface.

See module DSI · DEEP SEARCH AND INSIGHTS

Explore the entire internet. See every layer.

400M domains, 2B subdomains, 200B DNS records, 30B SSL certificates. All queryable directly.

See module
SEE PORTFOLIO POSTURE

Get a portfolio score for your real vendor list.

Book a demo. We'll run scoring against your top vendors and walk through the portfolio rollup view.

Request a demo