Frequently Asked Questions About Third-Party Risk | Recorded Future

FAQ (Third-Party Risk)

Recorded Future’s Third-Party Intelligencemodule provides third-party risk teams with comprehensive third-party risk data and analysis. Potential risks associated with third parties include:

  • Company mentions on the dark web — recent, frequent mentions of a company on the dark web often correlate with more threat activity against the company, increasing the likelihood of attack.
  • Domain abuse — typosquat domains registered to impersonate an organization’s domains indicate potential risks, such as phishing attacks.
  • Incident report — a recent security breach disclosure or a validated attack discovered by our Insikt team likely indicate that a recent cyber attack, breach, or event put the third-party’s information assets at risk
  • Leaked credentials — exposed data from business accounts used by employees on dark web and paste sites leave third-parties exposed to credential stuffing attacks and account impersonation.
  • Infrastructure abuse — IT infrastructure misuse or abuses, such as hosted TOR nodes, communication with C2 servers, malware detections, and the use of website technologies associated with high-risk CVEs all indicate that the company is more susceptible to attack.
  • Web application security — outdated SSL/TLS certificates, unsupported SSL/TLS configurations, and the use of unsupported software all pose risk to a company and the businesses they work with.

These potential risks, along with dozens of other factors, are incorporated into the calculation of a real-time risk score, which is valuable for a quick assessment of the risk associated with third parties.

What is the Third-Party Intelligence module used for?

Recorded Future’s Third-Party Intelligence offering provides cyber risk scores and deep access to the comprehensive data behind them as a fully integrated part of its universal security intelligence platform.

The Recorded Future Third-Party Intelligence module is designed for third-party risk teams that are concerned with risks resulting from partners, vendors, customers, and contractors with which they do business.

Recorded Future’s Third-Party Intelligence module enables organizations to improve their risk management by understanding environmental risk factors affecting their partners and suppliers. Risk management professionals use risk scores to efficiently screen and monitor third parties, and collaborate with security professionals to investigate and remediate specific risks as needed with transparency to the underlying evidence.

This module is not intended to serve as a one-stop compliance litmus test or to provide a final authoritative “credit score.” Rather, Third-Party Intelligence is intended to arm customers with cyber risk insights available externally using Recorded Future’s Security Intelligence Platform to have informed conversations with current and potential business partners.

Who do we score?

Recorded Future currently scores 150,000 of the largest companies in the world. We are constantly evaluating our coverage and will expand over time.

The Third-Party Intelligence module also currently scores only publicly traded and private companies, not geographic and political entities or non-commercial organizations.

What does each criticality level mean?

Each criticality level carries the following implications derived from the risk rule when triggered:

  • High (65–99): Recorded Future has observed indicators of high-severity threats and elevated cyber risk.
  • Moderate (25–64): Recorded Future has observed, over time, indicators of moderate threats and cyber risk.
  • Informational (5–24): Important for general situational awareness.

How can I view my risk score?

Customers of the Third-Party Intelligence module can view their risk score on the relevant Intelligence Card, which lists the “triggered risk rules” and associated data that compose the risk score. Additionally, a full list of the risk rules can be found here.

Since Recorded Future’s risk scores update automatically, once an organization remediates the root cause behind a triggered risk rule, it will be incorporated into the risk score according to automatic age-out criteria and timeliness factors associated with each risk rule.

I’m not a Recorded Future customer. Can I view my risk score?

Scored organizations that are not currently Recorded Future customers can request a limited review of their Third-Party Intelligence risk score here. These reports do not provide the specific score but do show the “triggered risk rules” that determine the overall score for a company and a brief explanation of why they matter.

Generally, we limit these complimentary requests for a company’s risk exposure to once per quarter.

How can I provide feedback on my risk scores?

You can provide feedback on Third-Party Intelligence risk scores here.

How is Recorded Future’s Third-Party Intelligence module different from security rating services?

Recorded Future is an intelligence provider, arming third-party risk teams with relevant information about risks to their third parties. Unlike other services, a Recorded Future third-party risk score is not an assessment or judgement of an organization’s overall security posture and behavior. It is a measure of observable risk, backed by detailed evidence that can be used for productive remediation conversations.

Recorded Future uses a broad range of sources across the open web, dark web, and technical sources. Other services may collect their data from different sources or may not consider items like attention on the dark web or leaked credentials in calculating their score. Additionally, Recorded Future incorporates proprietary research from our industry-leading Insikt Group unique to Recorded Future.

How is the risk score calculated? Where does the data come from?

Third-Party risk scoring aggregates information from Recorded Future’s industry-leading data set that includes sources from the open, deep, and dark web, along with technical and proprietary sources. Recorded Future relies exclusively on external data, and does not engage in active scanning of organizations.

Fairness, accuracy, and transparency

To ensure fairness and accuracy in Recorded Future’s Third-Party Intelligence module, Recorded Future is committed to the following principles:

  • Precision: Recorded Future will strive to provide risk scores based on sophisticated methodologies applied to relevant and high-quality data.
  • Transparency: Recorded Future will provide transparency into the methodologies and types of data to determine an entity’s cyber risk score. A summary of the current risk rules can be found here.
  • Fairness: All organizations will have the right to provide feedback on the scores and share corrected or clarifying data via our feedback form.
  • Accuracy: All Third-Party risk scores will be entirely objective and data-driven. Unlike many other services, Recorded Future’s Third-Party risk scores shall continually update based on specific time frames tied to each risk rule and reflect the inclusion of the latest validated information.
  • Validation: Recorded Future will also endeavor to independently validate our methodologies and, over time, the historical performance of our models.
  • Independence: Commercial relationships (or lack thereof) with any customer, partner, prospect, vendor, or other entity will have absolutely no impact on an organization’s rating. Similarly, all organizations will be able to provide feedback on their rating and the methodology.
  • Confidentiality: Any information disclosed by an organization or individual providing feedback shall be appropriately protected. Relatedly, as always, Recorded Future will abide by cyber research best practices to prevent the misuse of its platform.