Diligence

Managing the "Diligence" Rating: Proving Security Hygiene with ThreatNG

In the ecosystem of third-party risk management (TPRM), the Diligence category (often labeled "Security Diligence," "Patching Cadence," or "Network Hygiene" by rating agencies acts as the baseline indicator of your organization’s operational maturity. While other categories measure active threats, Diligence measures your preventative habits.

At ThreatNG, we understand that a low Diligence score signals a "broken windows" problem for auditors and insurers, as neglecting small issues such as SSL certificates and patching can create vulnerabilities in more critical areas. However, generic scanning often penalizes organizations for strategic architecture choices or misattributes third-party assets to your score. This guide explains how to utilize the ThreatNG ecosystem to take control of your Diligence narrative.

Understanding the Diligence Rating

To improve your score, you must understand what is being graded. Diligence is not about finding zero-day exploits; it is about observing adherence to security best practices and protocols via external scanning.

Rating agencies typically derive this score from three pillars:

  1. Patching Cadence: How quickly do you update software after a CVE is released? (Often inferred from server headers like Server: Apache/2.4.6).

  2. Network Configuration: The presence of open ports, exposed database services, or insecure remote access protocols (like Telnet or RDP).

  3. Encryption & Authentication: The validity of SSL/TLS certificates (e.g., not expired, strong ciphers) and the strength of email security records (SPF, DKIM, DMARC).

The Challenge: Automated scanners lack nuance. They may flag a "honeypot" as an open port risk, or penalize you for an "outdated" server version that has actually been backported with security fixes. Without context, a secure environment can look negligent.

The ThreatNG Strategy: Opportunity, Refutation, and Defense

Managing your Diligence rating isn't just about applying patches; it's about proactively managing your digital footprint. ThreatNG empowers you to move from a reactive "whack-a-mole" approach to a strategic governance program.

1. Proactive Opportunity Finding (Beating the Algorithm)

The most effective way to manage a Diligence rating is to identify hygiene failures before an external auditor flags them. Rating agencies scan periodically; ThreatNG scans continuously. By combining Investigation Modules, Intelligence Repositories, Dynamic Entity Management, and our predictive ThreatNG Security Ratings, you can identify lapses in hygiene before they impact your external score.

  • The Strategy: You begin by populating Dynamic Entity Management with specific People (e.g., Cloud Administrators), Places (e.g., remote data centers), and Brands (e.g., "Legacy Product Line"). As soon as these entities are defined, ThreatNG continuously hunts for exposures related to them.

  • The Example: Imagine a legacy product line (tracked as a "Brand" entity) has a support portal running on an old CMS. The team forgot to renew the SSL certificate.

  • A World of Possibilities: Crucially, this is just one example of the many possibilities with ThreatNG. You could also use Sensitive Code Exposure to find developers accidentally committing API keys to public repos (a major diligence failure that would spike your Data Leak Susceptibility rating), use Cloud and SaaS Exposure to find misconfigured storage buckets before they are flagged as "Data Leaks," or use Sentiment and Financials to catch vendor-related news that might indicate a supply chain diligence risk (impacting your Supply Chain & Third Party Risk Exposure rating).

2. Challenging Inaccuracies (The Refutation Strategy)

A significant portion of Diligence penalties stems from Asset Misattribution. You may be penalized for the poor hygiene of a third-party vendor simply because you have a CNAME pointing to them. To dispute this, you need forensic evidence gathered by Investigation Modules and backed by Policy Management.

  • The Strategy: When a rating agency penalizes you for an asset you don't control, you need to prove it. ThreatNG lets you use Dynamic Entity Management to automatically classify assets based on their DNS signatures.

  • The Example: A rating agency penalizes your Diligence score for an "Expired SSL Certificate" or "Open Port 80" on a specific subdomain.

    • The Evidence: You use Domain Intelligence to demonstrate that the subdomain is a CNAME record pointing to a third-party vendor (e.g., a helpdesk portal). You also use Archive Web Pages to show the site's content is vendor-branded.

    • The Classification: You then use Dynamic Entity Management to auto-classify this asset as "Vendor Managed."

    • The Report: You generate a report using Granular Risk Scoring showing that, while the agency rates this hygiene failure as "Critical" in your score, your internal policy rates it as "Third-Party Risk." You support this by showing your internal Brand Damage Susceptibility rating remains high ('A') because the asset is isolated from your core brand infrastructure, providing the irrefutable data needed to refute the finding and move it to the Vendor Risk category.

  • A World of Possibilities: It is important to emphasize that this is only one of many possibilities. You might also use ThreatNG to prove that a "Vulnerable Website" is actually a Parked Domain (using Search Engine Exploitation to show no indexed content), refute a "Patching Cadence" failure by showing the server header is intentionally obfuscated, or disprove a "Bad Reputation" claim by showing the IP address belongs to a dynamic cloud range that you released months ago.

3. Demonstrating Context & Control (The Bolstering Strategy)

Often, a Diligence finding is technically accurate (e.g., "Outdated Server Version"), but the risk is fully mitigated by architectural controls. A scanner sees a vulnerability; you see a design choice. Here, your goal shifts from refuting the data to bolstering the context using technical validation and Exception Management.

  • The Strategy: You use ThreatNG to prove that compensating controls exist, and then use Policy Management to prove that the risk is governed, not ignored.

  • The Example: A rating agency flags "Critical Vulnerability in Apache" because your server banner reports an old version.

    • The Evidence: You use the Technology Stack analysis and WAF Discovery modules to provide technical proof that the application is protected by an active Web Application Firewall (e.g., Cloudflare or AWS WAF) that virtually mitigates the vulnerability.

    • The Validation: You point to your ThreatNG Breach & Ransomware Susceptibility rating, which remains low because Vulnerability Intelligence (EPSS) confirms the exploit path is blocked by the WAF.

    • The Governance: To satisfy auditors, you use Exception Management to formally document this asset as a "Managed Exception" with a defined owner and review date. This creates an audit trail that proves to stakeholders that the risk is not an oversight but a governed "Authorized Operation."

  • A World of Possibilities: Explicitly, this is just one example of the many possibilities available with ThreatNG. You could also use DarChain Attack Path Intelligence to prove that an "Open Port" is on an air-gapped network segment with no path to critical data, use Mobile App Exposure to show that an "Outdated App" listed in a store is actually a deprecated version that you are actively removing (improving your Mobile App Exposure rating), or use Social Media intelligence to demonstrate that you are publicly addressing a known issue, proving proactive diligence rather than negligence.

The ThreatNG Ecosystem Advantage

ThreatNG provides the contextual intelligence required to turn a static checklist into a dynamic security strategy. Here is how our specific pillars support a superior Diligence rating: