Security Experts:

Connect with us

Hi, what are you looking for?



UpGuard Automates Vendor Risk Management

Cyber resilience company UpGuard announced on Tuesday the launch of a new product designed to help organizations automate risk assessment for third-party vendors.

Cyber resilience company UpGuard announced on Tuesday the launch of a new product designed to help organizations automate risk assessment for third-party vendors.

The new CyberRisk product scans each third-party vendor’s assets for cybersecurity weaknesses and assigns them a risk score based on UpGuard’s Cybersecurity Threat Assessment Rating (CSTAR) system.

UpGuard, formerly known as ScriptRock, has raised nearly $27 million since 2012, including $17 million in a Series B funding round last year. Several major data breaches discovered by the company in the past months showed the risks posed by third-party vendors.


The list of incidents includes a Republican Party contractor exposing the details of 198 million American voters, recruiting firm TalentPen exposing information on job applicants at security firm TigerSwan, a call center services provider exposing the details of Verizon customers, and Booz Allen Hamilton exposing U.S. military files. In all cases, data was leaked online due to unprotected Amazon Web Services (AWS) S3 buckets.

UpGuard’s CyberRisk solution aims to help organizations prevent such incidents byproviding detailed information on their third-party vendors’ security posture. UpGuard’s Cloudscanner analyzes billions of web properties every day in search of risk factors that could lead to data breaches.

The targeted vendor is then assigned a CSTAR risk score ranging between 0 and 950. This score takes into account several factors, including an organization’s size, infrastructure, asset configurations, exposure, industry trends, and device vulnerabilities.

Since the security firm’s automated scans cannot detect all potential weaknesses, CyberRisk provides integrated questionnaires that organizations can send to their vendors. The customer simply has to select which categories they want the questionnaire to cover and enter the targeted vendor’s email address. Once the vendor completes the questionnaire, the results of the assessment are stored in the respective company’s risk profile.

“Just as companies do background checks on prospective employee hires, it only makes sense that they conduct similar assessments of any third-party business partners before granting them access to their corporate data,” said Mike Baukes, co-founder and co-CEO of UpGuard.

“Unfortunately, many organizations still lack the processes and tools to conduct a comprehensive audit of internal and external factors affecting vendor risk. This is evidenced by the sheer number breaches occurring on a daily basis. This is an epidemic. Our CyberRisk product not only integrates both critical aspects, but we take it several steps further by providing our customers with clear remediation guidance to become truly cyber resilient,” Baukes added.

Related: Third-Party Cyber Risks a Rising Threat, Research Shows

Related: Thousands of Third-Party Library Flaws Put Pacemakers at Risk

Related: CyberGRX Partners With BitSight to Address Supply Chain Risks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.