
Two steps: evidence, then a deterministic rollup
Scores are produced in two stages:- Research-backed domain points are gathered from public sources for each of five trust domains by agent-based research, with the evidence cited so you can trace any figure to its source.
- A deterministic rollup in our systems sums those points, applies the integration-depth adjustment, and runs guardrail (“floor”) rules to arrive at a recommendation. Because the rollup is deterministic, the same evidence always yields the same score.
1. The aggregate score (0–100)
The aggregate is the sum of points from five domains, each capped at its own maximum:| Domain | Max points | What it covers |
|---|---|---|
| Compliance | 25 | Certifications, frameworks, and security program maturity |
| Privacy | 20 | Data handling, privacy controls, and data-subject rights |
| Breach & threat track record | 20 | Known breaches, incidents, and threat exposure |
| Operational maturity | 20 | Reliability, scale, uptime, and business continuity |
| Business & financial stability | 15 | Funding, longevity, and financial health |
| Total | 100 |
2. Integration depth
Integration depth describes how deeply the vendor sits in your environment. It doesn’t change the aggregate score, but it does feed the recommendation — deeper integration means the same public evidence warrants stricter guidance.| Integration depth | Meaning | Effect |
|---|---|---|
| Deep | Infrastructure-level access (cloud APIs, Kubernetes, IAM, network) | ×0.85 |
| Moderate | Sensitive business data, typical SaaS | ×1.0 |
| Light | Read-only or little sensitive data | ×1.10 (capped at 100) |
Integration depth is distinct from dependency tier. Tier weights your portfolio posture; integration depth sharpens a single vendor’s recommendation.
3. Recommendation and floor rules
After domain scoring, floor rules may tighten the guidance when specific signals appear — for example, a weak score in a critical domain, a serious breach-history signal, deep integration combined with a low overall posture, or an active CISA KEV match. Floor rules affect the recommendation only; they do not change the aggregate total. The recommendation summarizes the outcome after those rules and reflects the score, the integration depth, and any escalations:Approve
Posture and context support approval.
Conditional
Approvable with conditions or compensating controls.
Do Not Approve
Evidence or floor rules argue against approval.
