TL;DR
Third-party security ratings only grade what's publicly visible (website, DNS, TLS, reputation). They miss the internal, air-gapped and OT systems that often matter most.
That doesn't make scan data useless. Weak email security, expired certs or missing headers are real signals of baseline security hygiene. So I built a TPRM security scanner inside 6clicks, using the Third Party module and Custom Workflow Builder, drawing only on free public data sources.
It passively grades each vendor across email security, TLS, web hardening and reputation (A to F), rolls up a weighted overall grade, and writes results back to the register. Runs automatically (daily for new vendors, weekly for the whole register) and is fully configurable with no extra licensing.
Bottom line: treat scan data as one input to vendor risk, integrated with your assessments and audits. Not a standalone verdict.
Security ratings. Everyone's favourite silver bullet, right?
I'll be upfront. I've been sceptical of third-party security scanning for a long time. Not because the technology doesn't work. It does exactly what it says. My problem is what the results actually represent. These tools grade an organisation on what's visible from the outside: the public website, DNS records, TLS configuration, appearances on reputation lists. That's a narrow window, and it often says very little about how an organisation secures the systems that actually matter.
As a GRC provider, we work with organisations across government, critical infrastructure, defence industry and financial services. Many of the systems they care most about are not connected to the internet at all. Operational technology. Air-gapped networks. Internal platforms. A rail operator's signalling network doesn't have a public website. A scanner can hand a vendor an A while their most critical environment goes completely unexamined, or a D because the marketing site is missing a security header. Treating that score as a proxy for vendor risk is lazy, and when it drives real decisions it becomes misleading assurance.
But outside-in scanning does tell you something. An organisation that can't get SPF and DMARC right, runs an expired certificate, or ships a public website with no security headers is showing you its baseline technical security hygiene. If the basics anyone can see haven't been attended to, it's fair to wonder about the parts you can't see. It's like walking past an office with the front door propped open. Maybe the vault inside is solid. But you'd want to ask.
So my position has settled into something practical. Public scanning results are a legitimate input to third-party risk management. One consideration among many. The problem was never the data. The problem was vendors selling that data as if it were the answer.
So I built one, inside 6clicks
If scan data is a useful input, it belongs where the rest of your vendor assurance already lives. Alongside your assessments, issues and review workflows. Not in a separate portal with a separate invoice.
That was the thinking behind a recent build: a TPRM security scanner constructed entirely with what's already available in 6clicks, using the Third Party module and the Custom Workflow Builder, and drawing only on free public data sources.
For every third party in your register with a primary domain recorded, the scanner passively checks a set of public sources:
- Email security: SPF, DMARC and mail server records, evidencing resistance to spoofing and phishing
- TLS: certificate and protocol configuration of the public web host
- Web hardening: security-header hygiene on the public website
- Reputation: known malware and phishing listings
Each category is graded A to F, rolled up into a weighted overall grade, and written straight back to custom fields on the third-party record. The register gains sortable, filterable columns: security grade, score and trend. The trend matters more than the grade. A point-in-time score is far less interesting than the direction of travel, so the scanner tracks whether each vendor has improved, held steady or declined since the last scan.
Every check is passive. DNS lookups, requests to the vendor's public website, and lookups against public reputation data. No probing, no intrusion, nothing a vendor could reasonably object to.
How it runs
It works in conjunction with the 6clicks Third Party module and the 6clicks Custom Workflow Builder. New vendors with a primary domain are picked up and scanned daily, and the whole register is updated weekly, so every vendor carries fresh grades and an up-to-date trend. Set the domain on a vendor record and it's onboarded into scanning automatically. Nothing else to configure.
In practice, the register is where you feel it. Sort by security grade to prioritise vendor reviews. Filter for declining trends to run a "what got worse this week" review. Open the scan evidence on any record and you get the full per-check audit trail behind the grade. No black-box scores.
And this is the part I like most. 6clicks can roll out the base capability for you, but because it's built for you in your own tenancy, it's highly configurable and extensible. Adjust the scoring weights. Add or remove checks. Change the cadence. Raise issues or send notifications when a grade declines. It's your workflow to shape.
What this is, and what it isn't
I want to be precise here, because the ratings industry often isn't. This is a security hygiene snapshot, not a security rating. It's outside-in and point-in-time. It says nothing about a vendor's internal controls, their operational environments, or the systems that aren't internet-facing. For many of the organisations we work with, those are precisely the systems that matter most.
Which is exactly why it belongs inside your TPRM programme rather than separately. A hygiene snapshot is one signal, weighed alongside your other assurance activities: questionnaire-based assessments against frameworks like ISO 27001 or SOC 2, review of independent audit reports and certifications, contractual security obligations, and the criticality of the services the vendor actually provides. Use the grade to sharpen your questions. A declining trend is a great prompt for a targeted reassessment. Don't use it to answer them.
Scan data as an input, integrated with everything else you know about a vendor, earns its place. Scan data as a standalone verdict never convinced me. It still doesn't.
Try it
The scanner runs on free public data sources and the capabilities included with 6clicks. No additional licensing. No third-party ratings subscription. If you'd like to see it running against a live third-party register, or explore deploying it in your own 6clicks environment, get in touch with our team or book a demo.
And if you're already a 6clicks customer with ideas for other assurance signals worth automating, good. That's the point. The workflow builder is yours too.