> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vendexlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Risk scoring

> How VendexLabs produces a vendor's aggregate score, risk tier, and recommendation.

Every vendor gets a **risk posture**: an aggregate score, a breakdown across five trust domains, an integration-depth adjustment, and a recommendation. This page explains exactly how each is produced, so you can read — and defend — the numbers.

<img src="https://mintcdn.com/vendex-labs/cF_gRQxu5ZE_JthB/images/grc-posture.png?fit=max&auto=format&n=cF_gRQxu5ZE_JthB&q=85&s=b1b63f7d62e4001f2c6df2ab8336e4c3" alt="GRC posture view showing risk tier, aggregate score, integration depth, recommendation, and trust scores by domain" width="2998" height="1650" data-path="images/grc-posture.png" />

## Two steps: evidence, then a deterministic rollup

Scores are produced in two stages:

1. **Research-backed domain points** are gathered from public sources for each of five trust domains by [agent-based research](/concepts/enrichment), with the evidence cited so you can trace any figure to its source.
2. A **deterministic rollup** in our systems sums those points, applies the integration-depth adjustment, and runs guardrail ("floor") rules to arrive at a recommendation. Because the rollup is deterministic, the same evidence always yields the same score.

The headline number on the assessment is the **aggregate** — the sum of the domain points. Higher is better: it measures *strength of posture*, not "risk level."

## 1. The aggregate score (0–100)

The aggregate is the sum of points from five domains, each capped at its own maximum:

| Domain                         | Max points | What it covers                                            |
| ------------------------------ | ---------- | --------------------------------------------------------- |
| Compliance                     | 25         | Certifications, frameworks, and security program maturity |
| Privacy                        | 20         | Data handling, privacy controls, and data-subject rights  |
| Breach & threat track record   | 20         | Known breaches, incidents, and threat exposure            |
| Operational maturity           | 20         | Reliability, scale, uptime, and business continuity       |
| Business & financial stability | 15         | Funding, longevity, and financial health                  |
| **Total**                      | **100**    |                                                           |

Each domain row on the vendor's **GRC Posture** tab shows its share of the total, along with an **evidence badge** (for example, *Strong evidence* or *Moderate evidence*). Badges describe the model's **confidence in the evidence** — they are not a separate risk score.

## 2. Integration depth

**Integration depth** describes how deeply the vendor sits in *your* environment. It doesn't change the aggregate score, but it does feed the recommendation — deeper integration means the same public evidence warrants stricter guidance.

| Integration depth | Meaning                                                            | Effect                |
| ----------------- | ------------------------------------------------------------------ | --------------------- |
| Deep              | Infrastructure-level access (cloud APIs, Kubernetes, IAM, network) | ×0.85                 |
| Moderate          | Sensitive business data, typical SaaS                              | ×1.0                  |
| Light             | Read-only or little sensitive data                                 | ×1.10 (capped at 100) |

<Note>
  Integration depth is distinct from [dependency tier](/concepts/dependency-tiers). Tier weights your **portfolio** posture; integration depth sharpens a single vendor's **recommendation**.
</Note>

## 3. Recommendation and floor rules

After domain scoring, **floor rules** may tighten the guidance when specific signals appear — for example, a weak score in a critical domain, a serious breach-history signal, deep integration combined with a low overall posture, or an active [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) match. Floor rules affect the recommendation only; they do not change the aggregate total.

The **recommendation** summarizes the outcome after those rules and reflects the score, the integration depth, and any escalations:

<CardGroup cols={3}>
  <Card title="Approve" icon="circle-check">
    Posture and context support approval.
  </Card>

  <Card title="Conditional" icon="triangle-exclamation">
    Approvable with conditions or compensating controls.
  </Card>

  <Card title="Do Not Approve" icon="circle-xmark">
    Evidence or floor rules argue against approval.
  </Card>
</CardGroup>

## Score history

VendexLabs snapshots each vendor's aggregate monthly, so the **Monthly Score Trend** on the vendor page — and the portfolio trend on your dashboard — show how posture moves over time rather than just where it stands today.

<Tip>
  The recommendation is guidance, not a verdict. The final call is yours, and you record it as an [assessment](/concepts/assessments) approval status.
</Tip>
