Frequently Asked Questions About Third-Party Risk

Recorded Future’s Third-Party Risk module provides threat intelligence teams with comprehensive third-party risk data and analysis. Potential risks associated with third parties include:

  • Corporate emails and credentials found on the dark web — exposed data from business accounts used by employees on third-party sites leave the company exposed to credential stuffing attacks and account impersonation.
  • Company mentions on the dark web — recent, frequent mentions of a company on the dark web often correlate with more threat activity against the company, increasing the likelihood of attack.
  • Domain abuse — typosquat domains registered to impersonate an organization’s domains indicate potential risks, such as phishing attacks.
  • Use of potentially vulnerable technologies — the use of website technologies that are often exploited or associated with high-risk CVEs poses increased risk of compromise.
  • IT policy violations — IT infrastructure misuse or abuse, such as an IP address hosting a command and control server, indicates that the company is more susceptible to attack and poses a risk to companies they do business with.

These potential risks, along with dozens of other factors, are incorporated into the calculation of a real-time risk score, which is valuable for a quick assessment of the risk associated with third parties.

To ensure fairness and accuracy in Recorded Future’s Third-Party Risk module, Recorded Future is committed to the following principles:

  • Precision: Recorded Future will strive to provide risk scores based on sophisticated methodologies applied to relevant and high-quality data.
  • Transparency: Recorded Future will provide transparency into the methodologies and types of data to determine an entity’s cyber risk score. A summary of the current risk rules can be found here.
  • Fairness: All organizations will have the right to provide feedback on the scores and share corrected or clarifying data via our feedback form.
  • Accuracy: All Third-Party Risk scores will be entirely objective and data-driven. Unlike many other services, Recorded Future’s Third-Party Risk scores shall continually update based on specific time frames tied to each risk rule and reflect the inclusion of the latest validated information.
  • Validation: Recorded Future will also endeavor to independently validate our methodologies and, over time, the historical performance of our models.
  • Independence: Commercial relationships (or lack thereof) with any customer, partner, prospect, vendor, or other entity will have absolutely no impact on an organization’s rating. Similarly, all organizations will be able to provide feedback on their rating and the methodology.
  • Confidentiality: Any information disclosed by an organization or individual providing feedback shall be appropriately protected. Relatedly, as always, Recorded Future will abide by cyber research best practices to prevent the misuse of its platform.

Who do we score?

Recorded Future currently scores 100,000 of the largest companies in the world. This includes 70,000 publicly traded organizations and 30,000 private companies. We are constantly evaluating our coverage and will likely expand over time.

Third-Party Risk also currently scores only publicly traded and private companies, not geographic and political entities or non-commercial organizations.

What does each criticality level mean?

Each criticality level carries the following implications derived from the risk rule when triggered:

  • High (65–99): Recorded Future has observed indicators of high-severity threats and elevated cyber risk.
  • Moderate (25–64): Recorded Future has observed, over time, indicators of moderate threats and cyber risk.
  • Informational (5–24): Important for general situational awareness.

How can I lower my risk score?

Customers of the Third-Party Risk module can view their Risk Score on the relevant Intelligence Card, which lists the “Triggered Risk Rules” and associated data that compose the Risk Score. Additionally, a full list of the risk rules can be found here.

Since Recorded Future’s risk scores update automatically, once an organization remediates the root cause behind a Triggered Risk Rule, it will be incorporated into the risk score according to automatic age-out criteria and timeliness factors associated with each risk rule.

I’m not a Recorded Future customer. Can I view my risk score?

Scored organizations that are not currently Recorded Future customers can request a limited review of their Third-Party Risk score here. These reports do not provide the specific score but do show the “Triggered Risk Rules” that determine the overall score for a company and a brief explanation of why they matter.

Generally, we limit these complimentary requests for an organization’s risk exposure to once per quarter.

How can I provide feedback on Third-Party Risk scores?

You can provide feedback on Third-Party Risk scores here.

Someone else showed me my risk score. Can I get a copy from Recorded Future?

Commercial organizations that are not currently Recorded Future customers can request a limited review of their Third-Party Risk score here. These reports do not provide the specific score but do show the “Triggered Risk Rules” that determine the overall score for a company and a brief explanation of why they matter.

How is Recorded Future’s risk score different from security rating services?

Recorded Future uses a broad range of sources from across the open and dark web. Other services may collect their data from different sources or may not consider items like attention on the dark web or leaked credentials in calculating their score. Additionally, Recorded Future incorporates proprietary research from our industry-leading Insikt Group unique to Recorded Future.

Recorded Future’s risk score is designed to quantify the threat environment in which the organization operates. Security rating services may focus on rating the organization’s compliance with industry standards for defensive cybersecurity practice and IT hygiene, as opposed to environmental risk factors (such as external threats). In addition to this fundamental difference, other services provide curated, periodic reports, whereas Recorded Future provides real-time data and alerts with full transparency into sources and information.

How is the risk score calculated? Where does the data come from?

Third-Party Risk scoring aggregates information from Recorded Future’s industry-leading data set that includes sources from the open, deep, and dark web, along with technical and proprietary sources. Recorded Future relies exclusively on external data, and does not engage in active scanning of organizations.

Recorded Future’s Third-Party Risk scores are based on dozens of different risk rule factors that prioritize data based on timeliness and severity. These rules are based on the following categories: Breach or Incident Reporting, Malicious Activity Associated with IP Addresses, Leaked Credentials, Dark Web References, Domain Abuse (such as typosquatting campaigns), and Threat Research. More information can be found here.

What is the Third-Party Risk module used for?

Third-Party Risk is for companies with threat intelligence teams concerned with third-party risk. Recorded Future’s Third-Party Risk offering provides cyber risk scores and the comprehensive data behind them as a fully integrated part of its universal threat intelligence solution.

The Recorded Future Third-Party Risk module is designed for threat intelligence teams that are concerned with threats resulting from partners, vendors, customers, and contractors with which they do business.

Recorded Future’s Third-Party Risk module enables organizations to improve their risk management by understanding environmental risk factors (external threats) affecting their partners and suppliers. Risk management professionals use risk scores to efficiently screen and monitor third parties, and collaborate with intelligence professionals to investigate specific risks as needed with transparency to the underlying evidence.

This module is not intended to serve as a one-stop compliance litmus test or to provide a final authoritative "credit score.” Rather, Third-Party Risk is intended to arm customers with cyber risk insights available externally using Recorded Future's threat intelligence solution to have informed conversations with current and potential business partners.