Skip to main content
Every vendor gets a risk posture: an aggregate score, a breakdown across five trust domains, an integration-depth adjustment, and a recommendation. This page explains exactly how each is produced, so you can read — and defend — the numbers. GRC posture view showing risk tier, aggregate score, integration depth, recommendation, and trust scores by domain

Two steps: evidence, then a deterministic rollup

Scores are produced in two stages:
  1. Research-backed domain points are gathered from public sources for each of five trust domains by agent-based research, with the evidence cited so you can trace any figure to its source.
  2. A deterministic rollup in our systems sums those points, applies the integration-depth adjustment, and runs guardrail (“floor”) rules to arrive at a recommendation. Because the rollup is deterministic, the same evidence always yields the same score.
The headline number on the assessment is the aggregate — the sum of the domain points. Higher is better: it measures strength of posture, not “risk level.”

1. The aggregate score (0–100)

The aggregate is the sum of points from five domains, each capped at its own maximum:
DomainMax pointsWhat it covers
Compliance25Certifications, frameworks, and security program maturity
Privacy20Data handling, privacy controls, and data-subject rights
Breach & threat track record20Known breaches, incidents, and threat exposure
Operational maturity20Reliability, scale, uptime, and business continuity
Business & financial stability15Funding, longevity, and financial health
Total100
Each domain row on the vendor’s GRC Posture tab shows its share of the total, along with an evidence badge (for example, Strong evidence or Moderate evidence). Badges describe the model’s confidence in the evidence — they are not a separate risk score.

2. Integration depth

Integration depth describes how deeply the vendor sits in your environment. It doesn’t change the aggregate score, but it does feed the recommendation — deeper integration means the same public evidence warrants stricter guidance.
Integration depthMeaningEffect
DeepInfrastructure-level access (cloud APIs, Kubernetes, IAM, network)×0.85
ModerateSensitive business data, typical SaaS×1.0
LightRead-only or little sensitive data×1.10 (capped at 100)
Integration depth is distinct from dependency tier. Tier weights your portfolio posture; integration depth sharpens a single vendor’s recommendation.

3. Recommendation and floor rules

After domain scoring, floor rules may tighten the guidance when specific signals appear — for example, a weak score in a critical domain, a serious breach-history signal, deep integration combined with a low overall posture, or an active CISA KEV match. Floor rules affect the recommendation only; they do not change the aggregate total. The recommendation summarizes the outcome after those rules and reflects the score, the integration depth, and any escalations:

Approve

Posture and context support approval.

Conditional

Approvable with conditions or compensating controls.

Do Not Approve

Evidence or floor rules argue against approval.

Score history

VendexLabs snapshots each vendor’s aggregate monthly, so the Monthly Score Trend on the vendor page — and the portfolio trend on your dashboard — show how posture moves over time rather than just where it stands today.
The recommendation is guidance, not a verdict. The final call is yours, and you record it as an assessment approval status.