Quantified external risk, scored consistently.
Risk scores are useful when they reflect real-world exploitation, not theoretical severity, and when the math is consistent across the organization and its third parties. Security Risk Scoring runs the same scoring engine across internal assets, vendor portfolios, and any organization you need to evaluate externally.
One scoring methodology, applied consistently.
Risk teams, board-reporting functions, procurement-stage risk gates, and underwriting teams run this workflow. The question they answer: what's the risk number, and what's underneath it? Pre-Deepinfo, scores typically come from per-vendor questionnaires plus a third-party rating platform that vendor-shops scores around the buyer ecosystem. Post-Deepinfo, scores come from continuous observational evidence with documented methodology.
Per-asset and per-domain scoring rolls up to organization-level scores. Vulnerability scoring weights EPSS (exploit prediction) and CISA KEV (active exploitation) over CVSS theoretical severity. Portfolio rollups aggregate vendor scores into category views (top 10 vendors by spend, regulated-vendor sub-portfolio, critical-data vendors) and a single portfolio score.
Outcomes: board reporting uses one consistent number; procurement gates fire on objective scoring rather than per-vendor questionnaire variability; renewal cycles factor in posture trajectory rather than snapshot.
Three signals per score, same methodology everywhere.
CVSS for the baseline. EPSS for exploit-prediction signal. CISA KEV for active-exploitation flags. Score weights real-world signal over theoretical severity. Portfolio rollups aggregate per-vendor scores.
CVSS baseline.
Common Vulnerability Scoring System for vulnerability findings. Necessary, not sufficient. CVSS-only scoring rewards theoretical severity over real-world risk.
EPSS exploit prediction.
Exploit Prediction Scoring System probability that a vulnerability will be exploited in the next 30 days. Separates real queue-toppers from theoretical-criticals.
CISA KEV confirmed exploitation.
CVEs confirmed exploited in the wild. KEV-listed CVEs jump to the top of the prioritization queue regardless of CVSS.
Portfolio rollups.
Per-vendor scores aggregate into category-level views and portfolio-level scores. Score-threshold alerts route to procurement when a vendor crosses a defined floor.
Customers using risk scoring at portfolio scale.
A major Türkiye-based bank
Continuous monitoring + scoring across 100+ third-party relationships in the regulated portfolio.
Read the storyAn international insurance group
Group-level CISO dashboard rolling up scoring across subsidiary brands and vendor partners.
Read the storyThird-party risk management
Continuously assess and score the security posture of every organization you work with.
Read the use case“Quantified external risk that uses the same engine across our own assets and our vendors makes risk discussions consistent. The score is comparable, defensible, and grounded in actual exploitation signal.”
Related use cases.
Audit-ready evidence, continuously kept current.
Audit cycles fail when the evidence is six months old.
See use case USE CASEUnderwriting that runs on continuous evidence.
Cyber insurance underwriting runs on questionnaires that go stale within months.
See use case USE CASEVendor risk that doesn't depend on questionnaires.
Annual vendor questionnaires capture posture at one moment, filtered through the vendor's self-reporting.
See use caseSee your organization-level risk score against your domain.
Run Deepinfo against your domain. The free threat exposure report includes your current security score plus a breakdown of what's driving it.