FAQ (Third-Party Risk)

Recorded Future’s Third-Party Intelligence module provides third-party risk teams with comprehensive third-party risk data and analysis. Potential risks associated with third parties include:

  • Company mentions on the dark web — recent, frequent mentions of a company on the dark web often correlate with more threat activity against the company, increasing the likelihood of attack.
  • Domain abuse — typosquat domains registered to impersonate an organization’s domains indicate potential risks, such as phishing attacks.
  • Incident report — a recent security breach disclosure or a validated attack discovered by our Insikt team likely indicate that a recent cyber attack, breach, or event put the third-party’s information assets at risk
  • Leaked credentials — exposed data from business accounts used by employees on dark web and paste sites leave third-parties exposed to credential stuffing attacks and account impersonation.
  • Infrastructure abuse — IT infrastructure misuse or abuses, such as hosted TOR nodes, communication with C2 servers, malware detections, and the use of website technologies associated with high-risk CVEs all indicate that the company is more susceptible to attack.
  • Web application security — outdated SSL/TLS certificates, unsupported SSL/TLS configurations, and the use of unsupported software all pose risk to a company and the businesses they work with.

These potential risks, along with dozens of other factors, are incorporated into the calculation of a real-time risk score, which is valuable for a quick assessment of the risk associated with third parties.

Fairness, accuracy, and transparency

To ensure fairness and accuracy in Recorded Future’s Third-Party Intelligence module, Recorded Future is committed to the following principles:

  • Precision: Recorded Future will strive to provide risk scores based on sophisticated methodologies applied to relevant and high-quality data.
  • Transparency: Recorded Future will provide transparency into the methodologies and types of data to determine an entity’s cyber risk score. A summary of the current risk rules can be found here.
  • Fairness: All organizations will have the right to provide feedback on the scores and share corrected or clarifying data via our feedback form.
  • Accuracy: All Third-Party risk scores will be entirely objective and data-driven. Unlike many other services, Recorded Future’s Third-Party risk scores shall continually update based on specific time frames tied to each risk rule and reflect the inclusion of the latest validated information.
  • Validation: Recorded Future will also endeavor to independently validate our methodologies and, over time, the historical performance of our models.
  • Independence: Commercial relationships (or lack thereof) with any customer, partner, prospect, vendor, or other entity will have absolutely no impact on an organization’s rating. Similarly, all organizations will be able to provide feedback on their rating and the methodology.
  • Confidentiality: Any information disclosed by an organization or individual providing feedback shall be appropriately protected. Relatedly, as always, Recorded Future will abide by cyber research best practices to prevent the misuse of its platform.
  • </ul>