For years, security teams have leaned on CVSS to size the severity of a vulnerability. It answers “how bad” a finding is. But what if you could also add exposure context to answer, “how close, and how far, could a compromise really spread?”

Two vulnerabilities can share the same CVSS score yet face very different impact expectations. The difference lies in what surrounds the vulnerable asset: which systems it touches, how closely it integrates with business workflows, and how quickly compromise could cascade.

Looking at the existing discovery and security rating tools in the market, we decided to take a different approach when building the ThingsRecon deep discovery engine. We created Digital Proximity™ (Patent Pending), a measurable view of how closely an internet-exposed asset is connected to sensitive systems, data, identities, and suppliers. In essence, it bridges technical security data to expected impact.

What is Digital Proximity™?

Digital Proximity™ (Patent Pending) is a security metric that measures how close an internet-exposed asset sits to sensitive systems, data, identities, or suppliers. It complements severity scores that focus on technical impact by adding context and mapping the blast radius of a potential compromise.

In cybersecurity:

• Severity ≈ CVSS impact + inherent risk

• Frequency ≈ probability of exploitation

• Exposure → where most models are thin

Because if a vulnerability rated as medium by CVSS sits on a public-facing asset that’s tightly integrated with a high-value business system… it’s critical to you.

By quantifying this “closeness factor,” Digital Proximity™ translates raw security findings into a risk signal that risk and security leaders can use directly. It makes it possible to go beyond point-in-time technical assessments and instead see how compromise could propagate across a business, or across an entire supplier ecosystem.

How Digital Proximity™ Enhances Risk Models

Traditional models often treat vulnerabilities as isolated defects, disconnected from the larger digital environment. This can lead to misleading prioritization, where two risks look identical in severity and likelihood, but behave very differently once exploited.

Digital Proximity™ shifts the focus from single-point weaknesses to the relationships and blast radius that determine real-world impact. When you look through the lens of proximity graphs, patterns emerge: shared CDNs, common identity providers, the same tag managers appearing on thousands of checkout pages.  

Those shared dependencies create correlation that vendor risk assessments and manual questionnaires rarely capture. Because connections change daily, external telemetry (DNS/TLS shifts, new third-party scripts, certificate reuse, API scope changes) can update proximity without waiting for annual renewals.

By embedding connectivity and dependency context into risk management programs, Digital Proximity™ enables:

• Sharper prioritization: Differentiating between vulnerabilities that pose local risk and those that expose core systems or high-value suppliers.

• Business-aligned insights: Showing how a technical flaw could translate into operational disruption, financial loss, or supply-chain impact.

• Portfolio-scale risk views: Allowing enterprises to see correlated exposures and accumulation across multiple assets, teams, or organizations.

• Evidence-based decisions: Creating a defensible, auditable link between technical findings and actuarial outcomes.

This makes cyber risk models more predictive, fairer, and more actionable, with a remediation backlog prioritized not only by exploit likelihood but also by business adjacency. Ultimately leading to improving resilience and overall compliance posture.

Closing Thoughts

Digital Proximity™ doesn’t just ask “is it vulnerable?” It asks, “if compromise happens here, how far and how fast can it spread?”

Together with severity and likelihood measures, this signal forms a stronger bridge from technical indicators to economic outcomes — helping CISOs and security leaders make more accurate, defensible decisions.

And the best part? We’ve now got patent pending on this innovation. It’s a new dimension for risk modeling, and I couldn’t be more excited to finally share it. In coming articles, I’ll be sharing more details about the methodology and use cases for proximity data. Stay tuned!

‍